Online fraud solution

ABSTRACT

Various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. Some embodiments function to access and/or obtain information from (and/or receive data from) a data source; the data might, for example, indicate a possible instance of online fraud. Certain embodiments, therefore, can be configured to analyze the data, e.g., to determine whether the data indicate a likely instance of online fraud. Such instances may be further investigated, and/or a response may be initiated. Data sources can include, without limitation, web pages, email messages, online chat sessions, domain zone files, newsgroup (and/or posting thereto), etc. Data obtained from the data sources can include, without limitation, suspect domain registrations, uniform resources locators, references to trademarks, advertisements, etc.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of, and claims the benefit ofU.S. patent application Ser. No. 10/709,398 filed May 2, 2004 by Shraimet al. and entitled “Online Fraud Solution,” the entire disclosure ofwhich is incorporated herein by reference for all purposes. Thisapplication also claims the benefit of the following provisionalapplications, the entire disclosures of which are incorporated herein byreference for all purposes: U.S. Prov. App. No. 60/615,973, filed Oct.4, 2004 by Shraim et al. and entitled “Online Fraud Solution”; U.S.Prov. App. No. 60/610,714, filed Sep. 17, 2004 by Shull and entitled“Methods and Systems for Preventing Online Fraud”; and U.S. Prov. App.No. 60/610,715, filed Sep. 17, 2004 by Shull et al. and entitled“Customer-Based Detection of Online Fraud.”

This application is also related to the following applications, each ofwhich is incorporated by reference herein for all purposes: U.S. patentapplication Ser. No. 10/996,567, filed by Shull et al. and entitled“Enhanced Responses to Online Fraud”; U.S. patent application Ser. No.10/996,990, filed by Shull et al. and entitled “Customer-Based Detectionof Online Fraud”; U.S. patent application Ser. No. 10/996,566, filed byShull et al. and entitled “Early Detection and Monitoring of OnlineFraud”; U.S. patent application Ser. No. 10/996,568, filed by Shull etal. and entitled “Generating Phish Messages”; U.S. patent applicationSer. No. 10/996,993, filed by Shull et al. and entitled “AdvancedResponses to Online Fraud” and U.S. patent application Ser. No.14/680,918, filed by Shull et al. and entitled “Methods and Systems forAnalyzing Data Related to Possible Online Fraud.”

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND OF THE INVENTION

The present invention relates computer systems, and more particularly tosystems, methods and software for detecting, preventing, responding toand/or otherwise dealing with online fraud.

Electronic mail (“email”) has become a staple of modern communications.Unfortunately, however, anyone who uses email on a regular basis isfamiliar with the vast quantities of “spam” (unsolicited email) sent tonearly every email addressee from various advertisers. Although somewhatanalogous to traditional paper “junk mail,” spam is unique in that, forvirtually no cost, a purveyor of spam (“spammer”) can easily and quicklygenerate and transmit copious amounts of spam. Further, limitations inthe Internet-standard simple mail transport protocol (“SMTP”) allowspammers to transmit spam with relative anonymity and, therefore, withcorrespondingly little accountability. Consequently, even though spamannoys the vast majority of recipients and, thus, generates fewsuccessful sales opportunities for the spammer relative to the amount ofspam transmitted, the spam “industry” is burgeoning: Given their abilityto inexpensively and quickly transmit enormous quantities of spam,spammers can make a handsome profit even from the relatively lowresponse rate to the spam advertising.

By their nature, spammers continually search for new recipients(victims) to which to send spam. The spam “industry,” therefore haslaunched a derivative industry of “harvesters,” who scour the Internetand other sources to generate lists of valid email addresses, which theythen sell to the spammers. (Obviously, since these activities gohand-in-hand, many spammers act as harvesters for themselves or theirfellow spammers). Harvesters use a variety of techniques for obtainingemail address lists, and often develop automated search programs(commonly referred to as “robots” or “webcrawlers”) that continuallyskulk about the Internet searching for new email addresses. For example,harvesters obtain email addresses from Internet (and other) news groups,chat rooms, and directory service (e.g., white pages) sites, as well asmessage boards, mailing lists, and web pages, on which users commonlyprovide email addresses for feedback, etc.

The success of spam as a marketing technique has begun to result in theuse of spam to perpetrate “phishing” operations. A phishing operationcan be defined as any type of social engineering attack (typicallyrelying the illegitimate use of a brand name) to induce a consumer totake an action that he/she otherwise would not take. Phishing scams canoperate by bribery, flattery, deceit, cajoling and through othermethods. Phishing operations often involve mass contact of consumers(for example, by “spam” email messages, text messages, VoIP calls,instant messages, etc. as well as through other devices) and generallydirect contacted consumers to a response site, which often is a web sitebut can also be a telephone number, etc.

One fairly common example of a phishing scam is a spam email messageadvertising a well-known software application or package (which in factwas pirated or otherwise obtained illegitimately) at a greatly reducedprice, and directing respondents to a web site where the software can bepurchased. Upon visiting the site, consumers would (or should) know thatthe advertised price is grossly unrealistic and probably indicates sometime of illegitimacy, such as black- or gray-market goods. Someconsumers, however, either out of ignorance or willful blindness, willaccept the phisher's assurances that the software is legitimate andtherefore will purchase the illegitimate software, completing thephishing scam.

Another common phishing operation is known as a “spoofing” scam. Thispractice involves inserting a false email address in the “From” or“Reply-to” headers of an email message, thereby misleading the recipientinto believing that the email originated from a relatively trustedsource. Spoofed emails often appear to be from well-known Internetservice providers (“ISPs”) (such as, for example, America Online™ andThe Microsoft Network™), or other high-profile entities witheasily-identifiable email addresses (including, for example IBM™,Microsoft™, General Motors™ and E-Bay™, as well as various financialinstitutions, online retailers and the like). This spoofing isunacceptable to these entities for many reasons, not the least becauseit causes customer confusion, destroys the value of a well-cultivatedonline presence, creates general mistrust of the spoofed brands andlargely dilutes the value of a reputable entity's online communicationsand transactions.

Further, in many cases, spammers and/or spoofers have developed avenuesof disseminating information amongst their “industry,” including avariety of online for a such as message boards, chat rooms, newsgroups,and the like. At such locations, spammers often discuss strategies formore effective spamming/spoofing, new spoof sites, etc., as well astrade and/or advertise lists of harvested addresses. By using theseresources, spammers and/or spoofers can focus on the most effectivespamming/spoofing techniques, learn from and/or copy the spoofed websites of others, and the like. Such resources also allow a new spammeror spoofer to quickly pick up effective spamming and/or spoofingtechniques.

Perhaps most alarmingly, spam (and spoofed spam in particular) hasincreasingly been used to promote fraudulent activity such as phishingattacks, including identity theft, unauthorized credit card transactionsand/or account withdrawals, and the like. This technique involvesmasquerading as a trusted business in order to induce an unsuspectingconsumer to provide confidential personal information, often in responseto a purported request to update account information, confirm an onlinetransaction, etc. Merely by way of example, a spoofer may send a spoofemail purporting to be from the recipient's bank and requesting(ironically) that the recipient “confirm” her identity by providingconfidential information by reply email or by logging on to a fraudulentweb site. Similarly, a common spoofed message requests that therecipient log on to a well-known e-commerce site and “update” creditcard information stored by that site.

Spam messages (and in particular those that are part of a phishingscheme) often include a uniform resource locator (“URL”) linking to theweb site of the phisher. The web site may, for example, be a responsepoint for the sale of illegitimate goods. In other cases, the URL may beconfigured to appear to be associated with the web site of a spoofedsender, but may actually redirects the recipient to a spoofed web site(i.e., a web site that imitates or is designed to look like the web siteof the spoofed source of the email). Upon visiting the spoofed web site,the recipient may be presented with a form that requests informationsuch as the recipient's address, phone number, social security number,bank account number, credit card number, mother's maiden name, etc. Therecipient, believing that she is communicating with a trusted company,may provide some or all of this information, which then is at thespammer's disposal to use for any of a variety of illegitimate purposes.(In some cases, the link may be configured to present a legitimate website, with an illegitimate and/or spoofed popup window presented overthe legitimate web site with instructions to provide personalinformation, etc., which will be collected by the phisher)

Thus, phishing scams and other illegitimate online activities haveflourished. While such activity is indisputably both illegal andimmoral, the relative anonymity of the phishers, as well as theinternational nature of the Internet, hinders effective legalprosecution for these activities. Merely by way of example, the serverassociated with a fraudulent web site may be located in a country fromwhich prosecution/extradition is highly unlikely. Moreover, thesefraudulent web sites are often highly transient, existing on a givenserver or ISP for a short time (perhaps only a matter of days or evenhours) before the phisher moves on to a new server or ISP. Compoundingthe enforcement problem is the fact that many of the servers hostingfraudulent web sites are legitimate servers that have been compromised(or “hacked”) by the phisher or his associates, with the owner/operatorof the server having no idea that the server is secretly being used forillegitimate purposes.

Accordingly, there is a need for efficient solutions to deal with theseabuses.

BRIEF SUMMARY

Various embodiments of the invention provide solutions (including interalia, systems, methods and software) for dealing with online fraud. Someembodiments function to access and/or obtain information from (and/orreceive data from) a data source; the data might, for example, indicatea possible instance of online fraud. Certain embodiments, therefore, canbe configured to analyze the data, e.g., to determine whether the dataindicate a likely instance of online fraud. Such instances may befurther investigated, and/or a response may be initiated. Data sourcescan include, without limitation, web pages, email messages, online chatsessions, domain zone files, newsgroups (and/or postings thereto), etc.Data obtained from the data sources can include, without limitation,suspect domain registrations, uniform resource locators, references totrademarks, advertisements, etc.

Merely by way of example, one set of embodiments provides systems forcombating online fraud. One exemplary system, which can be used in arelationship between a fraud protection provider and a customer, cancomprise a monitoring center for monitoring suspicious online activity.The monitoring center may comprise a first computer, which may comprisea processor and instructions executable by the processor. Theinstructions may be executable by the first computer to allow ananalysis (which can be performed by the first computer, by a technician,etc.) of an investigation of a uniform resource locator. The monitoringcenter can further comprise a first telecommunication link, which may beconfigured to provide communication between a technician and thecustomer. Hence, in some embodiments, the technician can notify thecustomer of a result of the investigation of a uniform resource locator,and/or the customer can provide instructions for responding to afraudulent attempt to collect personal information. The exemplary systemcan further comprise a second telecommunication link configured toprovide data communication between the monitoring center and at leastone additional computer.

The exemplary system can further comprise a second computer incommunication with the monitoring center, perhaps via the secondtelecommunication link. The second computer may a second processor andinstructions executable by the second processor. In some embodiments,the instructions may be executable to access a data source comprisingdata about a possible fraudulent activity and/or acquire (e.g., from thedata source) the data about the possible fraudulent activity. Theinstructions may be further executable to evaluate the data to determinewhether the possible fraudulent activity should be investigated, and/orto investigate a uniform resource locator associated with the data.

The investigation can determine, merely by way of example, whether aserver referenced by the uniform resource locator is associated with afraudulent attempt to collect personal information. In some embodiments,the data source may comprise domain registration information, and/or anevaluation of the information may indicate a suspicious domain has beenregistered. The second computer thus may include further instructionsexecutable to monitor the suspicious domain for activity. In otherembodiments, the data source may include (without limitation) one ormore of the following: a domain registration zone file, a newsgroup, anonline chat room, and/or an email message.

Another set of embodiments provides methods for preventing, combatingand/or otherwise dealing with online fraud. An exemplary method caninclude, without limitation, accessing a data source, which may comprisedata about a possible fraudulent activity. (A computer may be configuredto access the data source.) Data about the possible fraudulent activitymay be acquired from the data source and/or evaluated (e.g., todetermine whether the possible fraudulent activity should beinvestigated). If appropriate, the method might further compriseinvestigating a uniform resource locator associated with the data (e.g.,to determine whether a server referenced by the uniform resource locatoris associated with a fraudulent activity, such as, merely by way ofexample, a fraudulent attempt to collect personal information from auser), and/or initiating a response to the fraudulent activity.

One or more of a variety of responses may be implemented, in accordancewith various embodiments of the invention. Merely by way of example, oneresponse can comprise submitting for reception by the server one or moreHTTP requests. In some cases, a plurality of HTTP requests may besubmitted to the server substantially simultaneously. One or more of theHTTP requests may comprise a response to a request from the server forpersonal information. Merely by way of example, if a web page hosted bythe server comprises an online form (such as an HTML form, which may bedisplayed by a standard web browser, etc.) that provides fields intowhich a user can enter personal information (such as, for example, aname, social security number, credit card number, account number, etc.),the HTTP request may comprise an HTTP POST request comprising one ormore data elements corresponding to the field(s) of the online form. Ina particular embodiment, one or more of the HTTP requests can comprise aset of safe data associated with a fictitious identity. Each of the setsof safe data, however, may appear to comprise a valid response to, e.g.,an online form.

In particular embodiments, the plurality of HTTP requests may besufficient to substantially prevent the server from responding the anHTTP request submitted by a third party. In this way, for example,embodiments of the invention may be used to prevent ongoing fraudulentactivity by the server, simply by occupying the server and/or renderingit unable to process requests from other users. Merely by way ofexample, in some cases, a server may maintain a connection table thatestablishes a threshold for simultaneous HTTP connection supported bythe server, and/or the plurality of substantially simultaneous HTTPrequests may exceed such a threshold. In particular embodiments, themethod can comprise determining, perhaps based on a response from theserver, whether this threshold has been exceeded. In some embodiments, aplurality of responses may be sent continually over a certain period oftime, perhaps rendering the server unable, at least for the certainperiod of time, to respond to an HTTP request submitted by a thirdparty.

In some cases, it may be desirable to prevent the server from engagingin a fraudulent activity without otherwise harming the server and/or anetwork in communication with the server. Thus, in accordance withparticular embodiments, the plurality of HTTP requests may not besufficient to impair a network infrastructure providing communicationwith the server. In other embodiments, the plurality of HTTP requestsmay be insufficient to impair any process of the server other thanresponding to HTTP requests. In other cases, however, it may bedesirable to shut down the server (and/or a network infrastructureproviding communication with the server) completely. In such cases, avariety of responses may be used, including with limitationdenial-of-service responses known to those skilled in the art.

Those skilled in the art will appreciate that a phisher and/or operatorof a web site designed to engage in fraudulent activity may anticipatesuch responses. Thus, in particular embodiments, one or more of avariety of countermeasures may be implemented to defeat an attempt by aphisher, etc. (who may be the owner of the server, a customer orlicensee of the owner of the server, and/or, in some cases, may be athird party who has compromised a legitimate server for illegitimatepurposes) to filter HTTP requests.

Alternatively and/or in addition, one or more remote computers may beused to submit HTTP requests. Merely by way of example, in particularembodiments, the response to the fraudulent activity can compriseinterfacing with one or more computers. The computers may be distributed(e.g., distributed geographically, distributed among two or moredomains, distributed among two or more blocks of IP addresses, etc.),which can make it more difficult for the server to determine whether thecomputers are acting in concert. The method, then can includeinstructing these computers each to submit one or more HTTP requests forreception by the server. Each of the computers can individually (and/orcollectively) submit HTTP requests in any of the variety of waysdescribed above (e.g., implementing countermeasures, submittingresponses to online forms, etc.). In some cases, each of a plurality ofdistributed computers may be associated with one of a diverse pluralityof IP addresses. Hence, each of the plurality of computers may beassociated with an IP address dissimilar to the rest of the plurality ofIP addresses. In some cases, one or more of the IP addresses may beassociated with a retail Internet service provider. In this way, forexample, the responses from the computers may appear to be responsesfrom consumers.

Another exemplary method can be used to investigate a suspicious uniformresource locator (e.g., to determine whether a server referenced by theuniform resource locator may be involved in a fraudulent activity. Themethod can comprise accessing a data source to obtain data about apossible fraudulent activity, ascertaining from the data a uniformresource locator that might be involved with the possible fraudulentactivity, ascertaining an address associated with a server referenced bythe uniform resource locator and/or obtaining information about anaddress the uniform resource locator appears to reference. Suchinformation can include, merely by way of example, information about anowner of the address, information about a domain registered with respectto the address, etc. In some embodiments, the method can furthercomprise comparing the ascertained address associated with theinformation about the address the uniform resource locator appears toreference; based, e.g., on the comparison of the ascertained address andthe information about the address the uniform resource locator appearsto reference, the method can also include determining whether theuniform resource locator is fraudulent.

Other sets of embodiments provide systems and/or software programs,including without limitation systems configured to perform methods ofthe invention and/or software programs comprising instructionsexecutable by one or more computers to perform methods of the invention.Merely by way of example, an exemplary system comprises a processor andinstructions executable by the processor to perform one or more of themethods described above. As another example, a software program (whichcan be embodied on a computer readable medium) may comprise instructionsexecutable by one or more computers to perform one or more of themethods described above.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the nature and advantages of the presentinvention may be realized by reference to the figures which aredescribed in remaining portions of the specification. In the figures,like reference numerals are used throughout several to refer to similarcomponents. In some instances, a sub-label consisting of a lower caseletter is associated with a reference numeral to denote one of multiplesimilar components. When reference is made to a reference numeralwithout specification to an existing sub-label, it is intended to referto all such multiple similar components.

FIG. 1A is a functional diagram illustrating a system for combatingonline fraud, in accordance with various embodiments of the invention;

FIG. 1B is a functional diagram illustrating a system for planting baitemail addresses, in accordance with various embodiments of theinvention;

FIG. 2 is a schematic diagram illustrating a system for combating onlinefraud, in accordance with various embodiments of the invention;

FIG. 3 is a generalized schematic diagram of a computer that may beimplemented in a system for combating online fraud, in accordance withvarious embodiments of the invention;

FIGS. 4A, 4B and 4C are process flow diagrams illustrating variousmethods for obtaining information about possible fraudulent activities,in accordance with various embodiments of the invention;

FIG. 5A is a process flow diagram illustrating a method of collectingand analyzing data, in accordance with various embodiments of theinvention;

FIG. 5B is a process flow diagram illustrating procedures for analyzinga uniform resource locator and/or a web site, in accordance with variousembodiments of the invention;

FIG. 6 is a process flow diagram illustrating a method of combatingonline fraud, in accordance with various embodiments of the invention;

FIG. 7 is a process flow diagram illustrating a method of investigatinga suspicious uniform resource locator and/or web site, in accordancewith various embodiments of the invention;

FIG. 8 is a process flow diagram illustrating a method of responding toan attempted online fraud, in accordance with various embodiments of theinvention.

FIGS. 9A and 10 illustrate systems that can be used to submit responsesto a phishing scam, in accordance with various embodiments of theinvention.

FIG. 9B illustrates a method of submitting responses to a phishing scam,in accordance with various embodiments of the invention.

FIG. 11A illustrates a system that can be used to identify an improperuse of a customer's online identity, in accordance with variousembodiments of the invention.

FIG. 11B is a process flow diagram illustrating a method of identifyingan improper use of a customer's online identity, in accordance withvarious embodiments of the invention.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

In accordance with various embodiments, systems, methods and softwareare provided for combating online fraud, and specifically “phishing”operations. An exemplary phishing operation, known as a “spoofing” scam,uses “spoofed” email messages to induce unsuspecting consumers intoaccessing an illicit web site and providing personal information to aserver believed to be operated by a trusted affiliate (such as a bank,online retailer, etc.), when in fact the server is operated by anotherparty masquerading as the trusted affiliate in order to gain access tothe consumers' personal information. As used herein, the term “personalinformation” should be understood to include any information that couldbe used to identify a person and/or normally would be revealed by thatperson only to a relatively trusted entity. Merely by way of example,personal information can include, without limitation, a financialinstitution account number, credit card number, expiration date and/orsecurity code (sometimes referred to in the art as a “Card VerificationNumber,” “Card Verification Value,” “Card Verification Code” or “CVV”),and/or other financial information; a userid, password, mother's maidenname, and/or other security information; a full name, address, phonenumber, social security number, driver's license number, and/or otheridentifying information.

1. Overview

Certain embodiments of the invention feature systems, methods and/orsoftware that attract such spoofed email messages, analyze the messagesto assess the probability that the message is involved with a fraudulentactivity (and/or comprises a spoofed message), and provide responses toany identified fraudulent activity. FIG. 1A illustrates the functionalelements of an exemplary system 100 that can be used to combat onlinefraud in accordance with some of these embodiments and provides ageneral overview of how certain embodiments can operate. (Variousembodiments will be discussed in additional detail below). It should benoted that the functional architecture depicted by FIG. 1A and theprocedures described with respect to each functional component areprovided for purposes of illustration only, and that embodiments of theinvention are not necessarily limited to a particular functional orstructural architecture; the various procedures discussed herein may beperformed in any suitable framework.

In many cases, the system 100 of FIG. 1A may be operated by a fraudprevention service, security service, etc. (referred to herein as a“fraud prevention provider”) for one or more customers. Often, thecustomers will be entities with products, brands and/or web sites thatrisk being imitated, counterfeited and/or spoofed, such as onlinemerchants, financial institutions, businesses, etc. In other cases,however, the fraud prevention provider may be an employee of thecustomer an/or an entity affiliated with and/or incorporated within thecustomer, such as the customer's security department, informationservices department, etc.

In accordance with some embodiments, of the invention, the system 100can include (and/or have access to) a variety of data sources 105.Although the data sources 105 are depicted, for ease of illustration, aspart of system 100, those skilled in the art will appreciate, based onthe disclosure herein, that the data sources 105 often are maintainedindependently by third parties and/or may be accessed by the system 100.In some cases, certain of the data sources 105 may be mirrored and/orcopied locally (as appropriate), e.g., for easier access by the system100.

The data sources 105 can comprise any source from which data about apossible online fraud may be obtained, including, without limitation,one or more chat rooms 105 a, newsgroup feeds 105 b, domain registrationfiles 105 c, and/or email feeds 105 d. The system 100 can useinformation obtained from any of the data sources 105 to detect aninstance of online fraud and/or to enhance the efficiency and/oreffectiveness of the fraud prevention methodology discussed herein. Insome cases, the system 100 (and/or components thereof) can be configuredto “crawl” (e.g., to automatically access and/or download informationfrom) various of the data sources 105 to find pertinent information,perhaps on a scheduled basis (e.g., once every 10 minutes, once per day,once per week, etc.).

Merely by way of example, there are several newsgroups commonly used todiscuss new spamming/spoofing schemes, as well as to trade lists ofharvested email addresses. There are also anti-abuse newsgroups thattrack such schemes. The system 100 may be configured to crawl anyapplicable newsgroup(s) 105 b to find information about new spoof scams,new lists of harvested addresses, new sources for harvested addresses,etc. In some cases, the system 100 may be configured to search forspecified keywords (such as “phish,” “spoof,” etc.) in such crawling. Inother cases, newsgroups may be scanned for URLs, which may be download(or copied) and subjected to further analysis, for instance, asdescribed in detail below. In addition, as noted above, there may be oneor more anti-abuse groups that can be monitored. Such anti-abusenewsgroups often list new scams that have been discovered and/or provideURLs for such scams. Thus, such anti-abuse groups may bemonitored/crawled, e.g., in the way described above, to find relevantinformation, which may then be subjected to further analysis. Any otherdata source (including, for example, web pages and/or entire web sites,email messages, etc.) may be crawled and/or searched in a similarmanner.

As another example, online chat rooms (including without limitation,Internet Relay Chat (“IRC”) channels, chat rooms maintained/hosted byvarious ISPs, such as Yahoo™ America Online™, etc., and/or the like)(e.g., 105 a) may be monitored (and/or logs from such chat rooms may becrawled) for pertinent information. In some cases, an automated process(known in the art as a “bot”) may be used for this purpose. In othercases, however, a human attendant may monitor such chat roomspersonally. Those skilled in the art will appreciate that often suchchat rooms require participation to maintain access privileges. In somecases, therefore, either a bot or a human attendant may post entries tosuch chat rooms in order to be seen as a contributor.

Domain registration zone files 105 c (and/or any other sources of domainand/or network information, such as Internet registry e.g., ARIN) mayalso be used as data sources. As those skilled in the art willappreciate, zone files are updated periodically (e.g., hourly or daily)to reflect new domain registrations. These files may be crawled/scannedperiodically to look for new domain registrations. In particularembodiments, a zone file 105 c may be scanned for registrations similarto a customer's name and/or domain. Merely by way of example, the system100 can be configured to search for similar domains registration with adifferent top level domain (“TLD”) or global top level domain (“gTLD”),and/or a domains with similar spellings. Thus, ifs a customer uses the<acmeproducts.com> domain, the registration of <acmeproducts.biz>,<acmeproducts.co.uk>, and/or <acmeproduct.com> might be of interest aspotential hosts for spoof sites, and domain registrations for suchdomains could be downloaded and/or noted, for further analysis of thedomains to which the registrations correspond. In some embodiments, if asuspicious domain is found, that domain may be placed on a monitoringlist. Domains on the monitoring list may be monitored periodically, asdescribed in further detail below, to determine whether the domain hasbecome “live” (e.g., whether there is an accessible web page associatedwith the domain).

One or more email feeds 105 d can provide additional data sources forthe system 100. An email feed can be any source of email messages,including spam messages, as described above. (Indeed, a single incomingemail message may be considered an email feed in accordance with someembodiments.) In some cases, for instance as described in more detailbelow, bait email addresses may be “seeded” or planted by embodiments ofthe invention, and/or these planted addresses can provide a source ofemail (i.e., an email feed). The system 100, therefore, can include anaddress planter 170, which is shown in detail with respect to FIG. 1B.

The address planter 170 can include an email address generator 175. Theaddress generator 175 can be in communication with a user interface 180and/or one or more databases 185 (each of which may comprise arelational database and/or any other suitable storage mechanism). Onesuch data store may comprises a database of userid information 185 a.The userid information 185 a can include a list of names, numbers and/orother identifiers that can be used to generate userids in accordancewith embodiments of the invention. In some cases, the userid information185 a may be categorized (e.g., into first names, last names, modifiers,such as numbers or other characters, etc.). Another data store maycomprise domain information 180. The database of domain information 180may include a list of domains available for addresses. In many cases,these domains will be domains that are owned/managed by the operator ofthe address planter 170. In other cases, however, the domains might bemanaged by others, such as commercial and/or consumer ISPs, etc.

The address generator 175 comprises an address generation engine, whichcan be configured to generate (on an individual and/or batch basis),email addresses that can be planted at appropriate locations on theInternet (or elsewhere). Merely by way of example, the address generator175 may be configured to select one or more elements of useridinformation from the userid data store 185 a (and/or to combine aplurality of such elements), and append to those elements a domainselected from the domain data store 185 b, thereby creating an emailaddress. The procedure for combining these components is discretionary.Merely by way of example, in some embodiments, the address generator 175can be configured to prioritize certain domain names, such thatrelatively more addresses will be generated for those domains. In otherembodiments, the process might comprise a random selection of one ormore address components.

Some embodiments of the address planter 170 include a tracking database190, which can be used to track planting operations, including withoutlimitation the location (e.g., web site, etc.) at which a particularaddress is planted, the date/time of the planting, as well as any otherpertinent detail about the planting. Merely by way of example, if anaddress is planted by subscribing to a mailing list with a givenaddress, the mailing list (as well, perhaps, as the web site, listmaintainer's email address, etc.) can be documented in the trackingdatabase. In some cases, the tracking of this information can beautomated (e.g., if the address planter's 170 user interface 180includes a web browser and/or email client, and that web browser/emailclient is used to plant the address, information about the plantinginformation may be automatically registered by the address planter 170).Alternatively, a user may plant an address manually (e.g., using her ownweb browser, email client, etc.), and therefore may add pertinentinformation to the tracking database via a dedicated input window, webbrowser, etc.

In one set of embodiments, therefore, the address planter 170 may beused to generate an email address, plant an email address (whether ornot generated by the address planter 170) in a specified location and/ortrack information about the planting operation. In particularembodiments, the address planter 170 may also include one or moreapplication programming interfaces (“API”) 195, which can allow othercomponents of the system 100 of FIG. 1 (or any other appropriate system)to interact programmatically with the address planter. Merely by way ofexample, in some embodiments, an API 195 can allow the address planter170 to interface with a web browser, email client, etc. to performplanting operations. (In other embodiments, as described above, suchfunctionality may be included in the address planter 170 itself).

A particular use of the API 195 in certain embodiments is to allow othersystem components (including, in particular, the event manager 135) toobtain and/or update information about address planting operations(and/or their results). (In some cases, programmatic access to theaddress planter 170 may not be needed—the necessary components of thesystem 100 can merely have access—via SQL, etc.—one or more of the datastores 185, as needed.) Merely by way of example, if an email message isanalyzed by the system 100 (e.g., as described in detail below), thesystem 100 may interrogate the address planter 170 and/or one or more ofthe data stores 185 to determine whether the email message was addressedto an address planted by the address planter 170. If so, the addressplanter 170 (or some other component of the system 100, such as theevent manager 135), may note the planting location as a location likelyto provoke phish messages, so that additional addresses may be plantedin such a location, as desired. In this way, the system 100 canimplement a feedback loop to enhance the efficiency of plantingoperations. (Note that this feedback process can be implemented for anydesired type of “unsolicited” message, including without limitationphish messages, generic spam messages, messages evidencing trademarkmisuse, etc.).

Other email feeds are described elsewhere herein, and they can include(but are not limited to), messages received directly fromspammers/phishers; email forwarded from users, ISPs and/or any othersource (based, perhaps, on a suspicion that the email is a spam and/orphish); email forwarded from mailing lists (including without limitationanti-abuse mailing lists), etc. When an email message (which might be aspam message) is received by the system 100, that message can beanalyzed to determine whether it is part of a phishing/spoofing scheme.The analysis of information received from any of these data feeds isdescribed in further detail below, and it often includes an evaluationof whether a web site (often referenced by a URL or other informationreceived/downloaded from a data source 105) is likely to be engaged in aphishing and/or spoofing scam.

Any email message incoming to the system can be analyzed according tovarious methods of the invention. As those skilled in the art willappreciate, there is a vast quantity of unsolicited email traffic on theInternet, and many of those messages may be of interest in the onlinefraud context. Merely by way of example, some email messages may betransmitted as part of a phishing scam, described in more detail herein.Other messages may solicit customers for black- and/or grey-marketgoods, such as pirated software, counterfeit designer items (includingwithout limitation watches, handbags, etc.). Still other messages may beadvertisements for legitimate goods, but may comprise unlawful orotherwise forbidden (e.g., by contract) practices, such as impropertrademark use and/or infringement, deliberate under-pricing of goods,etc. Various embodiments of the invention can be configured to searchfor, identify and/or respond to one or more of these practices, asdetailed below. (It should be noted as well that certain embodiments maybe configured to access, monitor, crawl, etc. data sources—includingzone files, web sites, chat rooms, etc.—other than email feeds forsimilar conduct). Merely by way of example, the system 100 could beconfigured to scan one or more data sources for the term ROLEX™, and/oridentify any improper advertisements for ROLEX™ watches.

Those skilled in the art will further appreciate that an average emailaddress will receive many unsolicited email messages, and the system 100may be configured, as described below, to receive and/or analyze suchmessages. Incoming messages may be received in many ways. Merely by wayof example, some messages might be received “randomly,” in that noaction is taken to prompt the messages. Alternatively, one or more usersmay forward such messages to the system. Merely by way of example, anISP might instruct its users to forward all unsolicited messages to aparticular address, which could be monitored by the system 100, asdescribed below, or might automatically forward copies of users'incoming messages to such an address. In particular embodiments, an ISPmight forward suspicious messages transmitted to its users (and/or partsof such suspicious messages, including, for example, any URLs includedin such messages) to the system 100 (and/or any appropriate componentthereof) on a periodic basis. In some cases, the ISP might have afiltering system designed to facilitate this process, and/or certainfeatures of the system 100 might be implemented (and/or duplicated)within the ISP's system.

As described above, the system 100 can also plant or “seed” bait emailaddresses (and/or other bait information) in certain of the datasources, e.g. for harvesting by spammers/phishers. In general, thesebait email addresses are designed to offer an attractive target to aharvester of email addresses, and the bait email addresses usually (butnot always) will be generated specifically for the purpose of attractingphishers and therefore will not be used for normal email correspondence.

Returning to FIG. 1A, therefore, the system 100 can further include a“honey pot” 110. The honey pot 110 can be used to receive informationfrom each of the data sources 105 and/or to correlate that informationfor further analysis if needed. The honey pot 110 can receive suchinformation in a variety of ways, according to various embodiments ofthe invention, and how the honey pot 110 receives the information isdiscretionary.

Merely by way of example, the honey pot 100 may, but need not, be usedto do the actual crawling/monitoring of the data sources, as describedabove. (In some cases, one or more other computers/programs may be usedto do the actual crawling/monitoring operations and/or may transmit tothe honey pot 110 any relevant information obtained through suchoperations. For instance, a process might be configured to monitor zonefiles and transmit to the honey pot 110 for analysis any new, lapsedand/or otherwise modified domain registrations. Alternatively, a zonefile can be fed as input to the honey pot 110, and/or the honey pot 110can be used to search for any modified domain registrations.) The honeypot 110 may also be configured to receive email messages (which might beforwarded from another recipient) and/or to monitor one or more baitemail addresses for incoming email. In particular embodiments, thesystem 100 may be configured such that the honey pot 110 is the mailserver for one or more email addresses (which may be bait addresses), sothat all mail addressed to such addresses is sent directly to the honeypot 110. The honey pot 110, therefore, can comprise a device and/orsoftware that functions to receive email messages (such as an SMTPserver, etc.) and/or retrieve email messages (such as a POP3 and/or IMAPclient, etc.) addressed to the bait email addresses. Such devices andsoftware are well-known in the art and need not be discussed in detailherein. In accordance with various embodiments, the honey pot 110 can beconfigured to receive any (or all) of a variety of well-known messageformats, including SMTP, MIME, HTML, RTF, SMS and/or the like. The honeypot 110 may also comprise one or more databases (and/or other datastructures), which can be used to hold/categorize information obtainedfrom email messages and other data (such as zone files, etc.), as wellas from crawling/monitoring operations.

In some aspects, the honey pot 110 might be configured to do somepreliminary categorization and/or filtration of received data (includingwithout limitation received email messages). In particular embodiments,for example, the honey pot 110 can be configured to search received datafor “blacklisted” words or phrases. (The concept of a “blacklist” isdescribed in further detail below). The honey pot 110 can segregatedata/messages containing such blacklisted terms for prioritizedprocessing, etc. and/or filter data/messages based on these or othercriteria.

The honey pot 110 also may be configured to operate in accordance with acustomer policy 115. An exemplary customer policy might instruct thehoney pot to watch for certain types and/or formats of emails,including, for instance, to search for certain keywords, allowing forcustomization on a customer-by-customer basis. In addition, the honeypot 110 may utilize extended monitoring options 120, includingmonitoring for other conditions, such as monitoring a customer's website for compromises, etc. The honey pot 110, upon receiving a message,optionally can convert the email message into a data file.

In some embodiments, the honey pot 110 will be in communication with oneor more correlation engines 125, which can perform a more detailedanalysis of the email messages (and/or other information/data, such asinformation received from crawling/monitoring operations) received bythe honey pot 110. (It should be noted, however, that the assignment offunctions herein to various components, such as honey pots 110,correlation engines 125, etc. is arbitrary, and in accordance with someembodiments, certain components may embody the functionality ascribed toother components.)

On a periodic basis and/or as incoming messages/information arereceived/retrieved by the honey pot 110, the honey pot 110 will transmitthe received/retrieved email messages (and/or corresponding data files)to an available correlation engine 125 for analysis. Alternatively, eachcorrelation engine 125 may be configured to periodically retrievemessages/data files from the honey pot 110 (e.g., using a scheduled FTPprocess, etc.). For example, in certain implementations, the honey pot110 may store email messages and/or other data (which may or may not becategorized/filtered), as described above, and each correlation enginemay retrieve data an/or messages on a periodic and/or ad hoc basis. Forinstance, when a correlation engine 125 has available processingcapacity (e.g., it has finished processing any data/messages in itsqueue), it might download the next one hundred messages, data files,etc. from the honeypot 110 for processing. In accordance with certainembodiments, various correlation engines (e.g., 125 a, 125 b, 125 c, 125d) may be specifically configured to process certain types of data(e.g., domain registrations, email, etc.). In other embodiments, allcorrelation engines 125 may be configured to process any available data,and/or the plurality of correlation engines (e.g., 125 a, 125 b, 125 c,125 d) can be implemented to take advantage of the enhanced efficiencyof parallel processing.

The correlation engine(s) 125 can analyze the data (including, merely byway of example, email messages) to determine whether any of the messagesreceived by the honey pot 110 are phish messages and/or are likely toevidence a fraudulent attempt to collect personal information.Procedures for performing this analysis are described in detail below.

The correlation engine 125 can be in communication an event manager 135,which may also be in communication with a monitoring center 130.(Alternatively, the correlation engine 125 may also be in directcommunication with the monitoring center 130.) In particularembodiments, the event manager 135 may be a computer and/or softwareapplication, which can be accessible by a technician in the monitoringcenter 130. If the correlation engine 125 determines that a particularincoming email message is a likely candidate for fraudulent activity orthat information obtained through crawling/monitoring operations mayindicate fraudulent activity, the correlation engine 125 can signal tothe event manager 135 that an event should be created for the emailmessage. In particular embodiments, the correlation engine 125 and/orevent manager 135 can be configured to communicate using the SimpleNetwork Management (“SNMP”) protocol well known in the art, and thecorrelation engine's signal can comprise an SNMP “trap” indicating thatanalyzed message(s) and/or data have indicated a possible fraudulentevent that should be investigated further. In response to the signal(e.g., SNMP trap), the event manager 135 can create an event (which maycomprise an SNMP event or may be of a proprietary format).

Upon the creation of an event, the event manager 135 can commence anintelligence gathering operation (investigation) 140 of themessage/information and/or any URLs included in and/or associated withmessage/information. As described in detail below, the investigation caninclude gathering information about the domain and/or IP addressassociated with the URLs, as well as interrogating the server(s) hostingthe resources (e.g., web page, etc.) referenced by the URLs. (As usedherein, the term “server” is sometimes used, as the context indicates,any computer system that is capable of offering IP-based services orconducting online transactions in which personal information may beexchanged, and specifically a computer system that may be engaged in thefraudulent collection of personal information, such as by serving webpages that request personal information. The most common example of sucha server, therefore, is a web server that operates using the hypertexttransfer protocol (“HTTP”) and/or any of several related services,although in some cases, servers may provide other services, such asdatabase services, etc.). In certain embodiments, if a single emailmessage (or information file) includes multiple URLs, a separate eventmay be created for each URL; in other cases, a single event may coverall of the URLs in a particular message. If the message and/orinvestigation indicates that the event relates to a particular customer,the event may be associated with that customer.

The event manager can also prepare an automated report 145 (and/or causeanother process, such as a reporting module (not shown) to generate areport), which may be analyzed by an additional technician at themonitoring center 130 (or any other location, for that matter), for theevent; the report can include a summary of the investigation and/or anyinformation obtained by the investigation. In some embodiments, theprocess may be completely automated, so that no human analysis isnecessary. If desired (and perhaps as indicated by the customer policy115), the event manager 135 can automatically create a customernotification 150 informing the affected customer of the event. Thecustomer notification 150 can comprise some (or all) of the informationfrom the report 145. Alternatively, the customer notification 150 canmerely notify the customer of an event (e.g., via email, telephone,pager, etc.) allowing a customer to access a copy of the report (e.g.,via a web browser, client application, etc.). Customers may also viewevents of interest to the using a portal, such as a dedicated web sitethat shows events involving that customer (e.g., where the eventinvolves a fraud using the customer's trademarks, products, businessidentity, etc.).

If the investigation 140 reveals that the server referenced by the URLis involved in a fraudulent attempt to collect personal information, thetechnician may initiate an interdiction response 155 (also referred toherein as a “technical response”). (Alternatively, the event manager 135could be configured to initiate a response automatically withoutintervention by the technician). Depending on the circumstances and theembodiment, a variety of responses could be appropriate. For instance,those skilled in the art will recognize that in some cases, a server canbe compromised (i.e., “hacked”), in which case the server is executingapplications and/or providing services not under the control of theoperator of the server. (As used in this context, the term “operator”means an entity that owns, maintains and/or otherwise is responsible forthe server.) If the investigation 140 reveals that the server appears tobe compromised, such that the operator of the server is merely anunwitting victim and not a participant in the fraudulent scheme, theappropriate response could simply comprise informing the operator of theserver that the server has been compromised, and perhaps explaining howto repair any vulnerabilities that allowed the compromise.

In other cases, other responses may be more appropriate. Such responsescan be classified generally as either administrative 160 or technical165 in nature, as described more fully below. In some cases, the system100 may include a dilution engine (not shown), which can be used toundertake technical responses, as described more fully below. In someembodiments, the dilution engine may be a software application runningon a computer and configured, inter alia, to create and/or formatresponses to a phishing scam, in accordance with methods of theinvention. The dilution engine may reside on the same computer as(and/or be incorporated in) a correlation engine 125, event manager 135,etc. and/or may reside on a separate computer, which may be incommunication with any of these components.

As described above, in some embodiments, the system 100 may incorporatea feedback process, to facilitate a determination of which plantinglocations/techniques are relatively more effective at generating spam.Merely by way of example, the system 100 can include an address planter170, which may provide a mechanism for tracking information aboutplanted addresses, as described above. Correspondingly, the eventmanager 135 may be configured to analyze an email message (andparticular, a message resulting in an event) to determine if the messageresulted from a planting operation. For instance, the addressees of themessage may be evaluated to determine which, if any, correspond to oneor more address(es) planted by the system 100. If it is determined thatthe message does correspond to one or more planted addresses, a databaseof planted addresses may be consulted to determine the circumstances ofthe planting, and the system 100 might display this information for atechnician. In this way, a technician could choose to plant additionaladdresses in fruitful locations. Alternatively, the system 100 could beconfigured to provide automatic feedback to the address planter 170,which in turn could be configured to automatically plant additionaladdresses in such locations.

In accordance with various embodiments of the invention, therefore, aset of data about a possible online fraud (which may be an emailmessage, domain registration, URL, and/or any other relevant data aboutan online fraud) may be received and analyzed to determine the existenceof a fraudulent activity, an example of which may be a phishing scheme.As used herein, the term “phishing” means a fraudulent scheme to inducea user to take an action that the user would not otherwise take, such asprovide his or her personal information, buy illegitimate products,etc., often by sending unsolicited email message (or some othercommunication, such as a telephone call, web page, SMS message, etc.)requesting that the user access an server, such as a web server, whichmay appear to be legitimate. If so, any relevant email message, URL, website, etc. may be investigated, and/or responsive action may be taken.Additional features and other embodiments are discussed in furtherdetail below.

2. Exemplary Embodiments

As noted above, certain embodiments of the invention provide systems fordealing with online fraud. The system 200 of FIG. 2 can be consideredexemplary of one set of embodiments. The system 200 generally runs in anetworked environment, which can include a network 205. In many cases,the network 205 will be the Internet, although in some embodiments, thenetwork 205 may be some other public and/or private network. In general,any network capable of supporting data communications between computerswill suffice. The system 200 includes a master computer 210, which canbe used to perform any of the procedures or methods discussed herein. Inparticular, the master computer 210 can be configured (e.g., via asoftware application) to crawl/monitor various data sources, seed baitemail addresses, gather and/or analyze email messages transmitted to thebait email addresses, create and/or track events, investigate URLsand/or servers, prepare reports about events, notify customers aboutevents, and/or communicate with a monitoring center 215 (and, moreparticularly, with a monitoring computer 220 within the monitoringcenter) e.g. via a telecommunication link. The master computer 210 maybe a plurality of computers, and each of the plurality of computers maybe configured to perform specific processes in accordance with variousembodiments. Merely by way of example, one computer may be configured toperform the functions described above with respect to a honey pot,another computer may be configured to execute software associated with acorrelation engine, e.g. performing the analysis of email messages/datafiles; a third computer may be configured to serve as an event manager,e.g., investigating and/or responding to incidents of suspected fraud,and/or a fourth computer may be configured to act as a dilution engine,e.g., to generate and/or transmit a technical response, which maycomprise, merely by way of example, one or more HTTP requests, asdescribed in further detail below. Likewise, the monitoring computer 220may be configured to perform any appropriate functions.

The monitoring center 215, the monitoring computer 220, and/or themaster computer 210 may be in communication with one or more customers225 e.g., via a telecommunication link, which can comprise connectionvia any medium capable of providing voice and/or data communication,such as a telephone line, wireless connection, wide area network, localarea network, virtual private network, and/or the like. Suchcommunications may be data communications and/or voice communications(e.g., a technician at the monitoring center can conduct telephonecommunications with a person at the customer). Communications with thecustomer(s) 225 can include transmission of an event report,notification of an event, and/or consultation with respect to responsesto fraudulent activities.

The master computer 210 can include (and/or be in communication with) aplurality of data sources, including without limitation the data sources105 described above. Other data sources may be used as well. Forexample, the master computer can comprise an evidence database 230and/or a database of “safe data,” 235, which can be used to generateand/or store bait email addresses and/or personal information for one ormore fictitious (or real) identities, for use as discussed in detailbelow. (As used herein, the term “database” should be interpretedbroadly to include any means of storing data, including traditionaldatabase management software, operating system file systems, and/or thelike.) The master computer 210 can also be in communication with one ormore sources of information about the Internet and/or any servers to beinvestigated. Such sources of information can include a domain WHOISdatabase 240, zone data file 245, etc. Those skilled in the art willappreciate that WHOIS databases often are maintained by centralregistration authorities (e.g., the American Registry for InternetNumbers (“ARIN”), Network Solutions, Inc., etc), and the master computer210 can be configured to query those authorities; alternatively, themaster computer 210 could be configured to obtain such information fromother sources, such as privately-maintained databases, etc. The mastercomputer 210 (and/or any other appropriate system component) may usethese resources, and others, such as publicly-available domain nameserver (DNS) data, routing data and/or the like, to investigate a server250 suspected of conducting fraudulent activities. As noted above, theserver 250 can be any computer capable of processing onlinetransactions, serving web pages and/or otherwise collecting personalinformation.

The system can also include one or more response computers 255, whichcan be used to provide a technical response to fraudulent activities, asdescribed in more detail below. In particular embodiments, one or morethe response computers 255 may comprise and/or be in communication witha dilution engine, which can be used to create and/or format a responseto a phishing scam. (It should be noted that the functions of theresponse computers 255 can also be performed by the master computer 210,monitoring computer 220, etc.) In particular embodiments, a plurality ofcomputers (e.g., 255 a-c) can be used to provide a distributed response.The response computers 255, as well as the master computer 210 and/orthe monitoring computer 220, can be special-purpose computers withhardware, firmware and/or software instructions for performing thenecessary tasks. Alternatively, these computers 210, 220, 255 may begeneral purpose computers having an operating system including, forexample, personal computers and/or laptop computers running anyappropriate flavor of Microsoft Corp.'s Windows™ and/or Apple Corp.'sMacintosh™ operating systems) and/or workstation computers running anyof a variety of commercially-available UNIX™ or UNIX-like operatingsystems. In particular embodiments, the computers 210, 220, 255 can runany of a variety of free operating systems such as GNU/Linux, FreeBSD,etc.

The computers 210, 220, 255 can also run a variety of serverapplications, including HTTP servers, FTP servers, CGI servers, databaseservers, Java servers, and the like. These computers can be one or moregeneral purpose computers capable of executing programs or scripts inresponse to requests from and/or interaction with other computers,including without limitation web applications. Such applications can beimplemented as one or more scripts or programs written in anyprogramming language, including merely by way of example, C, C++, Java™,COBOL, or any scripting language, such as Perl, Python, or TCL, or anycombination thereof. The computers 210, 220, 255 can also includedatabase server software, including without limitation packagescommercially available from Oracle™, Microsoft™, Sybase™ IBM™ and thelike, which can process requests from database clients running locallyand/or on other computers. Merely by way of example, the master computer210 can be an Intel™ processor-machine operating the GNU/Linux operatingsystem and the PostgreSQL database engine, configured to run proprietaryapplication software for performing tasks in accordance with embodimentsof the invention.

In some embodiments, one or more computers 110 can create web pagesdynamically as necessary for displaying investigation reports, etc.These web pages can serve as an interface between one computer (e.g.,the master computer 210) and another (e.g., the monitoring computer220). Alternatively, a computer (e.g., the master computer 210) may runa server application, while another (e.g., the monitoring computer 220)device can run a dedicated client application. The server application,therefore, can serve as an interface for the user device running theclient application. Alternatively, certain of the computers may beconfigured as “thin clients” or terminals in communication with othercomputers.

The system 200 can include one or more data stores, which can compriseone or more hard drives, etc. and which can be used to store, forexample, databases (e.g., 230, 235) The location of the data stores isdiscretionary: Merely by way of example, they can reside on a storagemedium local to (and/or resident in) one or more of the computers.Alternatively, they can be remote from any or all of these devices, solong as they are in communication (e.g., via the network 205) with oneor more of these. In some embodiments, the data stores can reside in astorage-area network (“SAN”) familiar to those skilled in the art.(Likewise, any necessary files for performing the functions attributedto the computers 210, 220, 255 can be stored a computer-readable storagemedium local to and/or remote from the respective computer, asappropriate.)

FIG. 3 provides a generalized schematic illustration of one embodimentof a computer system 300 that can perform the methods of the inventionand/or the functions of a master computer, monitoring computer and/orresponse computer, as described herein. FIG. 3 is meant only to providea generalized illustration of various components, any of which may beutilized as appropriate. The computer system 300 can include hardwarecomponents that can be coupled electrically via a bus 305, including oneor more processors 310; one or more storage devices 315, which caninclude without limitation a disk drive, an optical storage device,solid-state storage device such as a random access memory (“RAM”) and/ora read-only memory (“ROM”), which can be programmable, flash-updateableand/or the like (and which can function as a data store, as describedabove). Also in communication with the bus 305 can be one or more inputdevices 320, which can include without limitation a mouse, a keyboardand/or the like; one or more output devices 325, which can includewithout limitation a display device, a printer and/or the like; and acommunications subsystem 330; which can include without limitation amodem, a network card (wireless or wired), an infra-red communicationdevice, and/or the like).

The computer system 300 also can comprise software elements, shown asbeing currently located within a working memory 335, including anoperating system 340 and/or other code 345, such as an applicationprogram as described above and/or designed to implement methods of theinvention. Those skilled in the art will appreciate that substantialvariations may be made in accordance with specific embodiments and/orrequirements. For example, customized hardware might also be used,and/or particular elements might be implemented in hardware, software(including portable software, such as applets), or both.

Another set of embodiments provides methods of combating online fraudwhich can be, in some cases, implemented by a computer or embodied in acomputer software program. These methods may be, but need not be,implemented as a computer software application and/or with a computersystem, including the systems described above. FIGS. 4-8 collectivelyillustrate several such methods, which may be implemented separatelyand/or in conjunction with one another (as well as other methods). Someor all of the procedures described as part of these methods may be (butneed not be) performed by the various components of system similar tothat described with respect to FIG. 1A, perhaps with interaction fromone or more human technicians.

FIGS. 4A, 4B and 4C illustrate methods of collecting information aboutpossible incidents of online fraud. For instance, FIG. 4A illustrates amethod 400 for inducing, receiving and/or categorizing incoming emailmessage in accordance with certain embodiments of the invention. In somecases, a honeypot and/or a correlation engine may be used to perform themethod 400. In particular embodiments, an address generator, such as theaddress generator 170 described with respect to FIG. 1B may be used toperform certain operations, such planting bait email addresses,implementing a feedback loop, etc. The exemplary method 400 can includeestablishing a customer profile (block 402) for one or more customers.The customer profile can identify a blacklist of particular keywordsthat may indicate an incoming email message is attempting to spoof thecustomer. For instance, for a customer in the financial servicesindustry, key words could be “loan,” “account,” “credit card,” and/orthe like. The customer profile can also identify servers, URLs, domainsand/or IP addresses known to be involved with phishing activitiesinvolving that customer, as well as default configuration information,such as the customer's threshold for considering an email message as aphish (e.g., relatively lenient or relatively strict), and/or thecustomer's preferences for responding to fraudulent activity (e.g., apreference for administrative response, a preferred level of technicalresponse, etc.).

At block 404, one or more “safe accounts” may be created, e.g., in thecustomer's system. These safe accounts can be valid accounts (e.g.,active credit card accounts) that do not correspond to any real accountholder, and the safe accounts may be associated with fictitious personalinformation, including a valid (or apparently valid) identifier, such asan account number, social security number, credit card number, etc.,that does not correspond to any real account holder but may be acceptedas valid by the customer's system. The safe accounts thereafter can bemonitored (block 406) for any transactions or access attempts. Becausethe safe accounts do not correspond to a real account holder, anytransactions, access attempt, etc. (“account activity”) represent anillegitimate use. In addition, the safe account can be used to traceand/or track the use of the identifier, as described in more detailbelow, and/or to compile an evidentiary record of fraudulent activity.

The method 400 can also include generating and/or planting bait emailaddresses, which can be used to attract spam and/or phish messages. Insome cases, the bait addresses may be selected to be attractive tophishers (e.g., from attractive domains and/or using English propernames as the userids) and/or to be prioritized on harvested lists (e.g.,having userids that begin with numbers, the letter a, or non-alphabeticcharacters, etc.). In this way, if a phisher sends a phish message toeach of the addresses on a harvested list, there may be a higherprobability that the bait addresses will receive the phish messagerelatively early in the mailing process, allowing the system to takeresponsive action before many actual recipients have had a chance toprovide personal information in response to the phish.

Thus, in some embodiments, generating an email address can compriseselecting one or more userid elements (block 408) such as thosedescribed above, which can be used to generate an email address. Theselection of userid elements can be performed by an address planter (asdescribed above), by any other appropriate tool, and/or manually. Ifdesired, two or more userid elements may be concatenated or otherwisecombined to form a userid (block 410). In particular embodiments, theuserid may simply comprise a single userid element.

The method 400 can further comprise selecting a hostname and/or domainname for the bait address (block 412). As described herein, theselection of a domain may consider several factors. Merely by way ofexample, certain domains may be prioritized as relatively more likely toprovoke spam and/or phish messages (e.g., because of the nature of thedomain name, because email addresses using that domain have provokedrelatively more phish messages in the past, etc.). In many cases, thedomain may be a domain that is owned and/or managed by the entityresponsible for planting the addresses (or a domain to which such anentity has access). In particular cases, popular consumer ISP domains(such as “aol.com,” “msn.com,” etc. may be used. The owners of suchdomains may be in cooperation with the entity responsible for plantingaddresses. Alternatively, the address planter (or another tool) may beused to create an account at the appropriate ISP and/or to configure theaccount to auto-forward received messages to a honeypot, etc.

The domain name then may be appended to the userid to create an emailaddress (block 414). (At this point, any necessary steps to enable theemail address, such as creating a userid on the appropriate host,opening an account with an ISP, etc. may be taken, either automaticallyor by a technician. It can be appreciated, however, that in many casesno steps need be taken for a particular userid, since the mail exchangefor the selected domain may be configured to accept incoming mail to anyuserid, as described herein).

One or more planting locations for the generated email address may beselected (block 416). Planting locations can include web sites,newsgroups and/or other locations described herein that may be likely toresult in the planted address being harvested and/or receiving spamand/or phish emails. In some cases, it may be desirable to plant eachemail address in only one location (e.g., to facilitate the tracking andfeedback processes, described below and with respect to FIG. 1B). Inother cases, e.g., when it is desirable to maximize the impact of eachgenerated address, a particular address may be planted in multiplelocations. In particular embodiments, the selection of plantinglocations may be designed to facilitate triangulation procedures inassessing which planting location produced a phish/spam message, asdescribed below in detail.

At block 418, then, bait email addresses can be planted in appropriatelocations, as described above. (Bait email addresses may be generatedaddresses, addresses associated with purchased domains, pre-existingaddresses, etc.) In some cases, the planting locations may be thelocations selected at block 416. The task of planting (also referred toherein as “seeding”) the bait addresses can be automated (e.g. performedby a computer system such as a honey pot, address generator etc.) and/orperformed manually. Merely by way of example, an address generatorsimilar to the address generator 170 described with respect to FIG. 1Bcan be used to plant bait email addresses, using, in certainembodiments, a process similar to that described in detail with respectto FIG. 1B. As noted above, in particular embodiments, it may bedesirable to plant each created address in only one location (e.g., toassist in tracking and/or implementing a feedback loop). In other cases,to maximize the effect of each generated address, it may be desirable toplant each address in multiple locations.

In other embodiments, a variety of automated and/or manual processescould be used to plant (seed) bait addresses (which themselves may havebeen generated by an address generator, manually and/or through otherautomated processes); merely by way of example, an automated processcould post newsgroup items that include bait email addresses, create adomain registration with a bait email address as the administrativecontact, compile and/or distribute lists of bait addresses formatted toappear as a list of harvested addresses, etc. In some situations,planting an email address can comprise providing additional information.Merely by way of example, if planting an address comprises creating aWHOIS record with the address as an administrative contact, the plantingoperation can comprise providing other relevant information forinclusion in the WHOIS record, such as a telephone number, contact name,address, etc. In other examples, for instance when subscribing to anewsletter, a first and/or last name may be provided with the baitaddress. This information may be supplied manually and/or may begenerated in automated fashion (e.g., by an address planter), perhaps ina manner similar to the generation of userids. In some cases, asdescribed below, such additional information may be used to refine theprocess of determining which planting location resulted in a spam/phishemail. Consequently, it may be useful to provide different informationin each planting location (even if the bait address is the same).

The planting locations may be tracked (block 420), e.g. through the useof a tracking database, as described above. Additionally, anyinformation provided along with the planted address may also be tracked.The tracking of planting locations can facilitate a feedback process, asdescribed below.

After the bait email addresses have been planted, any incoming emailmessages to the bait addresses can be gathered (block 422), using anyacceptable procedure, including the procedures discussed above. Inaccordance with some embodiments, for example, gathering an incomingemail message can comprise downloading the incoming email message from ahoney pot/mail server and/or converting the email message into a datafile, which can have separate portions and/or fields corresponding tothe header information of the email message, the body portion of theemail message, any URLs included in the email message, and/or anyattachments to the email message. Gathering the email message canfurther comprise transmitting the email message to a correlation enginefor analysis, and/or the correlation downloading the email message. Anygathered incoming email messages (and/or corresponding data files) canbe analyzed to determine whether the message should be categorized as alikely phish (i.e., a fraudulent email message) (block 424). Oneexemplary process for analyzing email messages is described below byreference to FIG. 5.

In accordance with particular embodiments, the planting process mayimplement a feedback loop (block 426), including, for instance, asdescribed above. Merely by way of example, when an incoming emailmessage is analyzed, the addressee of the incoming email message may beexamined to determine if it correlates to any generated and/or plantedaddress. If so, a lookup may be performed to determine where the addresswas planted (e.g., by searching a tracking database), and feedback maybe provided to an address generator (and/or any other tool or entityresponsible for planting addresses) to indicate that the plantinglocation for that address is a likely source for span and/or phish emailmessages. If desired, then, such location may be prioritized as alocation for additional planting operations.

In some embodiments (e.g., where a generated address is planted inmultiple locations), the feedback process may be more sophisticated. Forexample, if a particular address was planted in multiple locations,merely ascertaining the addressee of the incoming phish/spam message maybe insufficient to determine which of the planting locations resulted inthe message. In such cases, any of several procedures may be used toprovide more information about which planting location generated themessage. Merely by way of example, a triangulation procedure may beused. Consider the situation in which address A was planted in locationsX and Y, while address B was planted in locations Y and Z, and address Cwas planted in locations X and Z. If phish messages are received byaddresses A and C, it is likely that location X was the plant locationthat produced the phish messages. Similarly, if phish messages arereceived by addresses A and B, it is likely that location Y was theplant location that produced the phish messages, and so on. (It shouldbe noted that the selection of plant locations for particular generatedaddresses may be configured to enhance the ability to perform suchtriangulation).

Another exemplary procedure can include parsing the incoming message forinformation identifying which of the planting locations produced thephish message. In a simple case, the domain from which the messageoriginated may correlate with a domain at which the address was planted.(In some cases, domain analysis, as described elsewhere herein, may beused to refine this analysis. Merely by way of example, the WHOISrecords for the planting locations may be analyzed to find anyinformation that matches corresponding WHOIS information for the domainfrom which the phish message originated.) In other cases, the phishmessage may correlated to information provided with a planted address(such as a given name, last name, etc.), and such information may beused to determine which planting location resulted in the message. Basedon the disclosure herein, one skilled in the art can appreciate that avariety of procedures may be used to ascertain which of several plantinglocations resulted in a phish message.

FIG. 4B illustrates another method 435 that may be used to obtaininformation about potential fraudulent activities, includingphishing/spoofing scams. The method 435 of FIG. 4B, which may, in somecases be implemented using a honeypot, correlation engine and/or eventmanager (as described above, for example), can be used to acquireinformation from any appropriate data source, including withoutlimitation the data sources 105 described above. In accordance with someembodiments, the method 435 can include accessing a data source (block440). Accessing a data source can comprise any of a variety ofprocedures, depending on the type of data source, the type ofinformation desired, and/or other pertinent factors. Merely by way ofexample, in some embodiments, accessing a data source can comprise usinga process (which may be unattended and/or automated) to crawl the datasource. Thus, for example, if the data source is a web site, one or morefiles on the web site may be crawled (i.e., accessed and/or downloaded),and such files optionally may be saved locally to the fraud-preventionsystem. In other cases, a web search engine (such as Google™, Lycos™,etc. may be used to search for information. If the data source is alimited-access data source, accessing the data source might comprise oneor more authentication procedures (e.g., providing a username and/orpassword), which may be performed manually, interactively and/or inautomated fashion. As another example, for instance, if the data sourceis an online chat room, accessing the data source can include loggingonto the chat room. In further cases, accessing a data source caninclude downloading the entire data source, e.g., on a periodic oras-needed basis, and/or accessing (reading, parsing, searching, etc.)the downloaded data source. Merely by way of example, a domainregistration zone file may be downloaded locally on a periodic basis, sothat searches against the zone file can performed more quickly and/or inan offline fashion.

In particular embodiments, accessing a data source can includemonitoring that data source. Monitoring a data source can include, insome cases, accessing the data source on a periodic basis. In accordancewith some embodiments, monitoring a data source can comprise evaluatingthe data source for changes (e.g., additional and/or updatedinformation) occurring since a previous access of the data source.Merely by way of example, a domain registration zone file may bemonitored to find modifications to domain registrations (as described inmore detail below). In other embodiments, monitoring a data source cancomprise tracking changes to the data source occurring while the datasource is being accessed. As one example, if the data source is anonline chat room, monitoring the data source can comprise viewing,downloading, copying, etc. an online “conversation” taking place in thechat room. Somewhat analogously, if the data source is a newsgroup, thenewsgroup may be monitored for new posts, replies, etc.

The method 435 can also include acquiring information from anaccessed/monitored data source (block 445). Like accessing/monitoring adata source, acquiring information can take a variety of forms. Forinstance, if the data source is a file or set of files (such as a website, domain registration file, newsgroup), acquiring information cancomprise searching the file(s), e.g., for keywords, etc. Merely by wayof example, information may be acquired by searching for URLs and/orrelevant terms, such as “phish,” “spoof,” “scam,” etc., as well asvariants of such words. Names of particular customers might also besearch terms, as the presence of one of those names could indicate apossible fraudulent activity involving the customer. Files includingsuch words may be downloaded and/or categorized for further analysis. Inother cases, acquiring information can comprise copying and/or loggingtranscripts of online chat sessions that include relevant information,including information comprising URLS and/or relevant terms.

In particular embodiments, including for instance, if a data source isbeing monitored, acquiring information can comprise downloading and/orotherwise making a record of any modifications to the data source. Thiscan be done generically (i.e., with respect to all modifications of thedata source and/or the information contained therein) and/or selectively(i.e., only with respect to relevant information). Merely by way ofexample, if a domain registration zone file is being monitored, allchanges to registration records might be noted and/or downloaded.Alternatively, only changes that meet certain criteria (e.g., newdomains that are suspiciously similar to a client's domain name and/ortrademark, or new domains that appear to cater to spammers, phishersand/or spoofers) might be noted and/or downloaded. In particular cases,if a useful domain name expires (e.g., is marked “expired” and/ordisappears from a domain name registration zone file), that informationmay be noted, as described in further detail with respect to FIG. 4C.

In general, acquiring information can comprise any action by whichinformation may be obtained from a data source. Moreover, based on thedisclosure herein, those skilled in the art will appreciate that theprocedures of acquiring accessing a data source and acquiringinformation may be consolidated into a single procedure. In some cases,the process of acquiring information may also include notifying anadministrator (and/or an automated process) that new information hasbeen acquired and needs to be evaluated. This notification can include,without limitation, an email message, an inter-process software message,an application call, etc. In particular cases, acquired information maybe placed in a particular location (e.g., a database or other datastructure, a particular directory in a file system, etc.), and/or aprocess may monitor that location for new information to be evaluated.Hence, the notification might simply comprise placing the information inthe correct location.

Once information has been acquired, that information may be evaluated(block 450). Evaluation of the information may be performed by anautomated process and/or by a human technician. In some cases,evaluation may be performed during the process of acquiring theinformation. In a general sense, evaluating the information comprisesmaking a determination of whether the information is likely to requirefurther action, and/or determining what type of action may be required.Hence, the procedures for evaluating the information are likely to vary,depending at least in part on the type of information acquired, customerpreferences (as noted in a customer policy, for example)

Merely by way of example, if the information relates to a suspectedphishing scam, evaluation of the information may comprise parsing theinformation for a URL. If a URL is found, that may indicate that furtherinvestigation of the URL should be performed. Likewise, if informationindicates a possible spam source and/or harvesting operation, it may beappropriate to further investigate the possibility of planting baitemail addresses for harvesting. In other embodiments, the acquiredinformation may indicate domain activity, such as a new registration,expired registration, etc., and evaluation of the information mayinclude evaluating whether the domain activity warrants further action.

Merely by way of example, in particular cases, if the acquiredinformation indicates that a suspicious domain has been registered, itmay be appropriate to monitor the domain (block 455). (Monitoring thedomain can be considered, in some cases, to be part of the evaluationprocess.) In accordance with certain embodiments, monitoring the domaincan comprise checking the domain for activity, perhaps periodically(e.g., every fifteen minutes, every hour, every day, etc.). Checking thedomain for activity can comprise attempting to access a website at thedomain (e.g., by sending an HTTP GET request either to the domain itselfand/or to common hostnames—www, web, etc.—at the domain), interrogatingthe domain for servers, monitoring domain registration records and/orDNS records, etc. If a domain becomes “live” (i.e., a server beginsoperating in that domain), that might indicate a need for furtherinvestigation of a possible fraudulent activity.

If evaluation of the information (and/or monitoring of a domain) doesindicate that further investigation is necessary, such an investigationmay be conducted. In accordance with some embodiments, an investigationmay be initiated by creating an event (block 460), e.g., in an eventmanager, and/or otherwise making a record of the need for furtherinvestigation. FIG. 6 (described below) illustrates some exemplarymethods of investigating possible fraudulent activity, and block 605(also described below) illustrates one possible procedure for creatingan event. In some embodiments, events may be prioritized forinvestigation and/or response. Some events may be judged to berelatively less critical than other events, and the determination ofwhich events are considered relatively more critical is discretionary.Merely by way of example, some types of online fraud (e.g., the sellingof fake watches) may be judged to be less harmful than other types(e.g., attempts to collect personal information). In some cases, globalparameters may define, for all customers, the relative urgency ofdifferent types of events. In other cases, a particular customer'sprofile can be configured to indicate, for that customer, which eventsshould be treated as relatively more urgent. There may be several levelsof urgency, and/or the levels can be identified using colors (e.g.,yellow, orange, red), numbers (e.g., 1-5), and/or any other appropriatescheme to help the system, technicians and/or any other interestedparties in identifying the relative urgency of a particular event.

As an example of how the method 400 can be used to monitor a domain inaccordance with particular embodiments of the invention, consider thefollowing scenario. If a company “Acme Products” wishes to avoidphishing schemes associated with its brand name, the company (and/or athird party security service provider, for example), may choose tomonitor a zone file as a data source. Through the monitoring of the datasource, it is discovered that the domain <acmeproduct.com> has beenregistered. In accordance with methods of the invention, a monitoringsystem can monitor that domain, for instance by periodically making HTTPGET requests to the domain (and/or to a host on that domain, such aswww.acmeproduct.com). Once the domain has become available (i.e., theHTTP GET request returns something other than a failure), the system canbe configured to crawl the web site, taking a “snapshot” of one or more(perhaps all) available pages on the web site. The snapshot can comprisea copy of the page(s) themselves and/or merely one or more checksumsand/or hash values computed from, e.g., the contents of the page(s).This procedure can be continued periodically (such as, for example, onceper minute, hour, day, etc.), and/or such periodic snapshots can becompared one against the other (for example, by quickly comparing hashvalues for returned pages, etc.). One skilled in the art will appreciatethat, in its initial stages, a domain usually will have a “park” pageindicating that the web site is “under construction,” etc. Hence, whenthe web site goes “live” (i.e., has some content other than a parkpage), the comparison of periodic snapshots will reveal this change. Atthe point the web site goes live, an investigation and/or analysis ofthe web site may be performed. In particular embodiments, for example,an event may be opened in an event manager and/or theinvestigation/analysis procedures described elsewhere herein may beperformed. Thus, by monitoring the domain, a possible phishing operationmay be uncovered before and phish messages have been sent (and,consequently, before any customers have been scammed by the phishingoperation).

Other embodiments of the invention provide methods that can be used toencourage additional incoming spam messages. FIG. 4C illustrates onesuch method 465. Messages prompted by such methods may, in someembodiments, be processed in similar fashion to that described withrespect to FIG. 4A and/or analyzed as described in further detail below.In general, the method 465 involves the acquisition of expired domainsand the collection of email messages addressed to those domains. Asthose skilled in the art will appreciate, once a domain expires, emailaddressed to recipients at that domain generally will no longer berouted to the recipients. Such recipients, therefore, generally willacquire new email addresses and notify their correspondents of those newaddresses, who thereafter will use the new address, not the address atthe expired domain. Thus, in many cases, any email messages still beingsent to the expired domain will have a higher-than-average probabilityof being spam messages.

The method 465 can comprise accessing domain information (block 470). Inmany cases, accessing domain information can comprise accessing arelevant data source (e.g., a domain registration zone file) and/oracquiring information from that data source. The procedures describedabove may be used to access domain information in this fashion. In othercases, a variety of resources may be used to access domain information,including, merely by way of example, subscription to newslettersidentifying expired domains (and/or domains about to expire),domain-squatting websites (which often advertise expired domains forsale), and/or the like.

The method 465 can further comprise evaluating the suitability of thedomain for attracting spam messages (block 475). Merely by way ofexample, spammers sometimes send messages by demographics, and anyattempt to attract such spam can attempt to simulate such demographics.For instance, a particular domain (e.g., <musclecars.com>) mightindicate that users receiving email at that domain are likely to be carenthusiasts, and/or another domain (e.g., <finearts.com>) might indicatethat users receiving email at that domain are likely to be enthusiastsof the arts. Other domains might indicate other likely demographics,such as female users, male users, young users, etc.

Other factors might be considered in evaluating the suitability of adomain. Merely by way of example, a domain that has been registered fora relatively long period of time would be relatively more likely toreceive a greater quantity of spam than a domain with a relatively shorthistory. Thus, evaluating the suitability of a domain might include ananalysis of the length of time the domain has been registered and/or inexistence. Such an analysis could include an examination of the relevantdomain registration record, a review of various archive sites(including, merely by way of example, <archive.org>) that store archivedweb sites, etc. Further, if the domain registration already has expired,the length of time since the domain was last in use may be considered asa factor, a recently-expired domain is relatively more likely to receivespam than a long-expired domain.

If the domain registration has not already expired, the method 465 maycomprise monitoring domain registration records (and/or other datasources for expiration (block 480). Merely by way of example, thoseskilled in the art will understand that a typical domain registrationrecord (e.g., a record in a zone file), often will provide an indicationof an expiration date for the domain. If a suitable domain is found, theexpiration date may be noted, and/or data sources (e.g., zone files) maybe monitored around the scheduled expiration date to determine whetherthe domain registration is renewed or expired. Similarly, zone fileupdates may be monitored for expired domains (as discussed above), andsuch domains may be evaluated for suitability. Thus, in accordance withvarious embodiments, the procedures for evaluating the suitability ofthe domain and monitoring the expiration of a domain may occur in anysuitable order. In certain embodiments, monitoring the expiration of adomain may include monitoring any activity at the domain, for instanceusing the techniques described above.

If a suitable expired (or otherwise available) domain is found, thatdomain may be acquired (block 485). In some cases, acquiring a domaincan comprise registering the domain with an appropriate registrar, aprocedure familiar to those skilled in the art. This procedure may beautomated and/or performed manually by a technician. In other cases,acquiring a domain can comprise purchasing the domain from a thirdparty. In such cases, re-registration of the domain may be required.Optionally, bait email addresses related to the domain may be seededand/or planted (block 490), e.g., for harvesting. One exemplaryprocedure for seeding/planting bait addresses is discussed above withrespect to FIG. 4A. Other procedures may be used as well.

A mail server (which might be a honeypot) can be configured to receivemail addressed to recipients at the domain, and/or email messages sentto the domain can be accepted by the mail server (block 495). Acceptedmessages may then be processed as described with respect to othermethods discussed herein and/or as desired. In accordance withparticular embodiments, the system may be configured so that allincoming messages to the domain are accepted, whether or not they areaddressed to a valid recipient. In fact, messages addressed to invalidrecipient addresses may be more likely to be spam and/or phishingattempts. It can be anticipated, for example, that some quantity ofmessages will be addressed to former users of the domain, and asdescribed above, it is relatively more likely that such messages will bemass-mailings.

Further embodiments of the invention can be used to analyze, investigateand/or respond to any received information and/or messages (includingwithout limitation information/messages received as a result of themethods described above). FIG. 5, for example, illustrates in detail amethod 500 of analyzing an incoming email message (or data file) inaccordance with certain embodiments of the invention. (In the discussionof FIG. 5, the terms data file and message are used interchangeably,since the methods of analysis can apply equally to a message and a datafile, which may, as discussed above, correspond to a received emailmessage but which also may correspond to any other data set, which maybe acquired from a variety of different data sources, such as a newsgroup posting, web page, and/or the like. Similarly, the other methodsdiscussed herein may be applied to data files corresponding to such datasets and/or sources.) It should be noted that some of the proceduresillustrated on FIG. 5 may, in particular embodiments, take place atother points in the method 500 illustrated by FIG. 5 (including, forexample, gathering incoming email messages (block 525)), and that theorganization of the procedures in these methods (and indeed, all of themethods described herein) is merely for ease of description: Certainprocedures may occur in an order different than that described herein;indeed, various procedures may be added and/or omitted in accordancewith various embodiments of the invention.

The method 500 illustrated by FIG. 5 can include time stamping themessage (and/or any other data to be analyzed) and/or assigning anidentifier to the message/data (which may be sufficient to uniquelyidentify the message (block 505), which can aid in the identification(e.g., throughout the processes discussed herein) of the message,provide a permanent indication of when the message was received, and/orfacilitate the comparison of different messages. The procedure fordeveloping an identifier is discretionary. Merely by way of example, theidentifier may include information about when the analysis of themessage/data (e.g., a time stamp), an indicator of the source of themessage, etc. Alternatively, the identifier (and/or a component thereof)may be assigned serially and/or randomly, and/or the identifier mayidentify the type of data to be analyzed (e.g., domain registration,email message, etc.).

The method 500 can also include, in some embodiments, creating a datafile from the message (block 510), perhaps in the manner describedabove. (As noted above, unless the context clearly indicates otherwise,email messages, other data—such as, for example, domain registrations,received URLs, etc.—and data files created from such messages/data canbe processed in similar fashion, and the description of the proceduresherein generally can be applied equally, with appropriate modificationsas necessary, to any of these items.) The data files may then becollected (block 515), for instance, by transmitting the data files to acorrelation engine and/or by a correlation engine downloading the datafiles from the computer (e.g. honey pot) that gathered the data files.(In some cases, it may not be necessary to collect the data files; forinstance, the correlation engine and the honey pot may be incorporatedwithin a single software program or program module and/or be running onthe same computer.)

A data file may then be parsed or read by the correlation engine (block520). The parsing can divide the data file into various sections and/orfields, which can allow the fields and/or sections of the data file tobe analyzed by the correlation engine. For example, with respect to anemail message, the header information can be analyzed (block 525) todetermine, for instance, whether the source and/or destinationinformation in the header has been forged. If so, it is relatively morelikely that the email is a phish. As another example, the mutinginformation in the message header may be analyzed to determine whetherthe message originated from and/or was routed through a suspect domain,again enhancing the likelihood that the message is a phish.

Any text, including without limitation the body of an email message(i.e., the body field of a data file) can then be analyzed (block 530).The analysis of the body can include searching the body for blacklistedand/or whitelisted terms; merely by way of example, a blacklisted termmight include terms commonly found in phish messages, such as “freetrip”; terms indicating that the message refers to personal information,such as “credit card,” “approval,” “confirm,” etc.; and/or brand names,the name of a customer, etc. Conversely, whitelisted terms are thosethat commonly indicate that the message is not a phish. It should benoted at this point that the system can be configured to provide afeedback loop, such that if a message is determined eventually to be aphish, the list of blacklisted terms can be automatically updated toinclude the text of that message (or portions of that text). Further,the correlation engine (and/or any other appropriate component) caninclude heuristic algorithms designed to defeat common phish tactics,such as obvious misspellings, garbage text, and the like. Likewise, thesystem may implement “stemming” logic, in order to identify commongrammatical variations of root words (e.g., the words “going,” “goes,“gone,” etc. can be identified as variants of “go,” and vice-versa).

Analyzing the body of the message can include other forms of analysis aswell. Merely by way of example, if the body includes a URL or other formof redirection, the presence of those devices can also indicate a higherlikelihood that the message is a phish (or conversely, that the messageis not a phish). (In addition, the URLs and other redirection devicescan be analyzed separately, as discussed below). Moreover, otherfactors, such as the length of the body of the email message, whetherthe body includes graphics, etc., can be considered in the analysis ofbody of the email message.

In addition, if the message does include a URL (or any other form ofreference and/or redirection), the URL can be analyzed. (This analysiscan also be applied to a URL received from another source, such as alist of URLs transmitted by an ISP, the URL of a suspicious web page, aURL associated with a suspicious domain registration, etc.) For example,network data (including without limitation DNS and/or WHOIS data, aswell as network records, e.g., ARIN information), for the domainassociated with the URL can be accessed. If this data indicates that theURL does not resolve to a domain (e.g., the URL resolves only to an IPaddress), the URL may be part of a phishing scam. Similarly, thoseskilled in the art can appreciate that phishing scams often are basedfrom servers/domains outside the United States; as well, a particulardomain may be known to be likely to host phishing scams. Hence, if theURL resolves to a suspicious domain or global top-level domain (“gTLD”),the URL may be part of a phishing scam. As another example, a URL(and/or the network data for the domain and/or IP address associatedwith the URL) may be compared with information in the email headers(including, for example, source address, “FROM:” field, etc.) and/ornetwork data associated with such header information. If this comparisonreveals inconsistencies, it may be relatively more likely that themessage is a phish. Conversely, if this information is consistent, itmay be (but is not necessarily) relatively more likely that the messageis not a phish.

In accordance with some embodiments, analyzing a URL (obtained from anysource) can involve one or more detailed tests. FIG. 5B illustrates anexemplary method 560 comprising a variety of such tests (any of whichmay be performed in various orders and/or combinations, depending on theembodiment). One test, for example, comprises testing the URL todetermine that it is “live” (i.e., that a web page, etc. referenced bythe URL is available) (block 562). This may be performed using a webbrowser, an HTTP GET request, etc. Further, the DNS information for aserver and/or a domain referenced by the URL may be obtained (using anyof several common methods) and/or analyzed (block 564) (e.g., todetermine the IP address and/or network block of the server to which theURL refers). Similarly, the WHOIS information for the domain may beobtained and/or analyzed (block 566), e.g., to determine who owns thedomain. In particular, any particular identifying information for thedomain (e.g., a contact name, address, email address, phone number,etc.) may be noted. Any of the information obtained by these proceduresmay be stored for future reference and/or compared to similarinformation obtained through earlier analyses. In this way, for example,repeat offenders may be identified efficiently. Merely by way ofexample, if a domain associated with a URL being analyzed has the samecontact email address as a domain previously found to be associated withan online scam, the current URL may be relatively more likely to beassociated with a scam.

In accordance with some embodiments, the geographical location of theserver hosting the URL may be determined (block 568). Those skilled inthe art will appreciated that there are a variety of known proceduresfor determining the geographical location of a server (based on itsdomain name and/or IP address, for example) and any of these proceduresmay be used. The geographical location of a server can provide anindication of whether the server is likely engaged in a fraudulentactivity. Merely by way of example, if a server located in EasternEurope is hosting a web site that purports to be associated with acompany located in the U.S., it may be relatively more likely that theweb site is fraudulent. In addition, determining the location of theserver may provide an indication of what administrative and/or technicalresponses are available with respect to web pages served by that server.

The composition of the URL itself may also reveal whether the URL islikely to refer to a fraudulent web site. Merely by way of example, inmany cases, a URL referring to a legitimate corporate web site will havea fairly simple directory path, such as the root (default) path for theweb server (e.g., “/”, or perhaps a subdirectory of the root path (e.g.,“/verify/”). Any URLs with convoluted or unusual directory paths,therefore, may be more likely to be engaged in fraudulent activity, andan examination of the URL itself might provide some indication of thisfact. Thus, the method 560 can include, in some cases, evaluating thedirectory path of the URL (block 570). Merely by way of example, if theURL references a user directory (e.g., “/.about.jsmith/”) the URL may berelatively more likely to refer to an illegitimate web site, since alegitimate corporate web site would not be expected to reside in auser's directory. Because scammers recognize this fact, they sometimesattempt to obscure the directory path of the web site using, forexample, URL redirection, which often results in relativelyunconventional URLs. Thus, the encoding of the URL also may be examined(block 572). If the URL has unconventional coding (such as characterstrings in the place of a directory path, etc.), such unconventionalcoding may indicate that the URL includes implicit redirection (e.g., toan obscured path), meaning the URL may be relatively more likely torefer to an illegitimate web site.

In some cases, sources of anti-abuse information, such as anti-abusenewsgroups, email lists, etc. may be searched for references to the URLbeing analyzed (and/or for a host, domain, IP address and/or networkblock associated with the URL (block 574). A reference in one of theseanti-abuse sources may indicated that the URL refers to a fraudulent website.

Another factor that may be considered is whether the URL refers to anencrypted connection, such as a connection secured by the SecuredSockets Layer (“SSL”) encryption scheme known to those skilled in theart (block 576). For example, if the protocol specified by the URL is“https,” the URL generally will link to a secured connection.Alternatively, the server hosting the resource referenced by the URL maybe interrogated to determine whether the server accepts securedconnections, for example by submitting an HTTPS GET request to thehostname (or IP address) referenced by the URL. Other procedures may beused as well. The use of encryption or other security may indicate thatthe referenced web site is relatively more (or less) likely to beengaged in fraudulent activity.

In addition to testing for secured connections, the server and/or website to which the URL refers may be subjected to additional tests. (Suchtests may also be performed as part of a web site/server investigation,such as the investigation described with respect to FIG. 7). Merely byway of example, the active ports on the server may be verified (block578), e.g., using a port scanner and/or other diagnostic tools(including without limitation those discussed above, such as NMAP andNessus). If a server is listening on “high” or “unknown” ports (e.g.,any port numbered above 1024), the activity of such ports may indicatethat the web site is relatively more likely to be illegitimate. (Inaddition, the URL may be further evaluated to determine whether itrefers to a high or unknown port number, which would provide a similarindication). Further, if the server “listens” on ports known to allowsecurity vulnerabilities, it may be relatively more likely that theserver has been compromised, which could indicate an enhanced likelihoodof a fraudulent activity.

In some cases, it may be appropriate to “crawl” the web site referencedby the URL (and/or a portion of that web site, such as the referencedpage, the first ten pages, the first level of links, etc.) (block 580).This procedure is described in more detail with respect to FIG. 7. Thedownloaded pages may provide additional indications of whether the website is legitimate. Merely by way of example, the pages can be checkedfor spelling and/or grammar errors (block 582). The presence of sucherrors (particularly if they are relatively numerous) can indicate thatthe web site is not professionally designed and/or maintained, andtherefore is relatively more likely to be fraudulent. Similarly, themethod may test for the presence of any HTML forms (and/or the contentsof the forms) (block 584), which may provide an indication of thelegitimacy of the web site. The testing of forms is described in moredetail with respect to FIGS. 7 and 8, and similar procedures may be usedin this context.

The downloaded pages may also be checked to determine whether the pagescontain URLs referring to other pages (block 586), especially pagesexternal to the web site, including without limitation pages associatedwith a legitimate business and/or other fraudulent sites, as wellwhether the pages refer to images hosted on other sites (block 588). Thepresence of either of these types of references may indicate that theweb site is relatively more likely to be illegitimate. Merely by way ofexample, if a web site is spoofing a bank's web site, the spoofing sitemay have external URL links to the bank's actual web site and/or maycomprise images hosted by the bank's web site (so as to appear moreauthentic).

Often, a scammer will move a fraudulent web site (and/or pages from thatsite) among various servers in an attempt to perform multiple scamsand/or avoid detection/prosecution. Further, some scammers purchase (orotherwise acquire) “turnkey” scamming kits comprising pre-built webpages/sites that can be hosted on a server to perform a scam. Itfollows, therefore, that it can be useful to provide an efficient way tocompare URLs and/or web sites from a plurality of investigations. Merelyby way of example, in some cases, the method 560 can include generatingand/or storing (e.g., in a database, file system, etc.) a checksumand/or hash value associated with the URL and/or page(s) referenced bythe URL (e.g., the page directly referenced by the URL and/or the pagescrawled in block 580) (block 590). Merely by way of example, a hashingalgorithm may be used to calculate a value for the URL string and/or forthe contents of the referenced page(s). Alternatively, a checksum valuemay be calculated for the contents of these page(s). Either (or both) ofthese procedures may be used to provide an efficient “snapshot” of aURL, web page and/or web site. (In some cases, a discrete checksum/hashmay be generated for a URL, an entire site and/or individual pages fromthat site). The checksum/hash value(s) may then be compared againstother such values (which may be stored, as described above, in adatabase, file system, etc.) calculated for URLs/web sites investigatedpreviously (block 592). If the checksum/hash value matches the value fora web site previously found to be fraudulent, the odds are good that thepresent site is fraudulent as well.

Returning to FIG. 5A, information about the domain to which the URLresolves may be analyzed (block 540), either as a separate step or as apart of the URL analysis. Further, in determining whether a domain issuspicious, the domain may be compared to any brand informationcontained in the body of the message. For example, if the body of themessage includes the brand name of a customer, and the URL resolves to adomain different than a domain owned by and/or associated with thatcustomer, the URL can be considered suspicious.

Upon the completion of the analysis (of any portion of a message, asdiscussed above, and/or of the message as a whole), the datafile/message may, in some embodiments be assigned a score (block 545).Assigning a score to the data file/message can provide a quantitativemeasurement of the likelihood that the message is a phish, and in suchembodiments, a score can be compared to a threshold score, such that ascore meeting a particular threshold can result in further analysisand/or investigation, while a score not meeting that threshold canindicate a judgment that the email is not a probable phish. In someembodiments, the overall analysis of the message can result in theassignment of a single score.

In other embodiments, each type of analysis (e.g., the analysis of theheader, of the body, of the URL and/or of the associated domain) canresult in the assignment of a separate score, and/or these separatescores can be consolidated to form a composite score that can beassigned to the message. Moreover, the individual scores for each typeof analysis may themselves be composite scores. Merely by way ofexample, each of the tests described with respect to FIG. 5B (as well,perhaps as other tests) may result in a score, and the scores of thesetests may be consolidated to form a composite URL score.

In further embodiments, the analysis of each data file or email messagecan be performed in hierarchical fashion: the header information may beanalyzed and scored, and only if that score meets a certain thresholdwill the correlation engine proceed to analyze the body. If not, themessage is considered not to be a phish and the analysis ends. Likewise,only of the score resulting from the body analysis reaches a certainthreshold will the URL be analyzed, etc.

The score values for various findings can be arbitrary, and they canreflect a judgment of the relative importance of various factors in theanalysis. Further, based on the disclosure herein, one skilled in theart can appreciate that the scaling of the scores for various portionsof the message (and/or the threshold scores for proceeding to the nextstage of analysis) can be adjusted depending on the relative reliabilityof the analysis of each portion in determining whether the messageactually is a phish, as well as the desired degree of precision inidentifying possible phish messages. Moreover, the correlation enginecan employ an automatic feedback loop, as described above, allowing thecorrelation engine to be self-tuning if desired for instance, if aparticular factor proves to be a reliable indicator in categorizing amessage, the correlation engine can automatically begin to give thatfactor more weight.

To understand how a hierarchical scoring system may be implemented inaccordance with some embodiments, consider the following, simplifiedexample. An email message with a forged header may be accorded a scoreof 150, and if a score over 100 is required to proceed to the analysisof the body, that analysis will be performed. The presence of acustomer's name in the body may be worth a score of 1000, and thepresence of the term “confirm your credit card” may be worth a score of2000. A score over 2500 may be required to proceed to URL analysis, soif the message includes both terms, it will have a score of 3150 andwill proceed to URL analysis. Finally, if the URL resolves to an IPaddress, that may be worth a score of 10000. If the threshold compositescore for considering a message to be a likely phish is 12000, thecomposite score of the message (13150) would indicate that the emaillikely is a phish. (It should be noted that, while, for purposes ofillustration, this example requires the assigned score to exceed thethreshold score, in other embodiments, a score might have to be lowerthan the threshold score to meet the threshold. That is, the requiredrelationship between the assigned score and the threshold score isdiscretionary. It should also be noted that certain factors, such as thepresence of a white listed term, can detract from a score.)

After the analysis of the message/data file is complete, the message maybe categorized as a phish (block 550). In some embodiments, a scoringalgorithm similar to those discussed above may be used to categorize themessage. In some cases, the categorization can depend on an overalland/or composite score for the message, while in other cases, thecategorization might depend only on a score for a particular section(e.g., the body portion, the URL, etc.). Other methods of categorizationmay be used as well. For example, the mere presence of any particularblacklisted term, a URL resolving to a suspicious domain, etc. may causethe message to be categorized as a phish. The choice of criteria forcategorization is discretionary.

The scoring methodology described above may be applied to thecategorization of data (including email messages, URLs, web sites, etc.)in a broader context as well. Merely by way of example, in accordancewith some embodiments, a similar scoring system could be used toidentify direct email marketing (e.g., from a competitive marketingperspective), to determine whether a business's products, trademarks,business identity, etc. is being used in an improper manner, etc. Withthe benefit of this disclosure, those skilled in the art will appreciatethat this robust scoring methodology may utilize a variety of differentscoring criteria to analyze such data in a wide variety of applications.

FIG. 6 illustrates a method 600 for investigating a suspected fraudulentactivity. In some cases, a fraudulent activity may be discovered throughthe analysis of a received email message and/or data obtained from adata source (e.g., via a crawling/monitoring activity, as discussedabove).

Once a suspected instance of fraud has been uncovered, an event may becreated in an event manager (block 605). As described above, inaccordance with some embodiments of the invention, an event manager canbe a computer systems (and/or a software application) that may beconfigured to track suspected fraudulent activity. In particularembodiments, the event manager may have workflow capabilities, such thatan event may be created as a container for all available informationabout a suspect activity. Merely by way of example, the creation of anevent can be similar to the creation of a “trouble ticket” known tothose skilled in the art, whereby the event remains open until a finalresolution (e.g., classification of the suspect activity asnon-fraudulent, cessation of the suspect activity, etc.) renders theevent moot, at which point it may be closed. In the interim, variousinvestigative and/or responsive procedures (including without limitationthose described in detail below) may be initiated by the event manager(automatically and/or with user interaction) and/or a record of theresults of such procedures may be stored and/or tracked by the eventmanager. All of this information may be contained within an eventobject. As noted above, in some cases, the event manager can bepolicy-driven, such that customer policies influence the way aparticular event is handled. The event, therefore, may be linked to oneor more customer policies, which can inform the behavior of the eventmanager and/or a technician handling the event.

In general, each event may be investigated (block 605). In some cases,when an event is opened, a technician might evaluate the event (e.g., byvisiting and/or analyzing a web site associated with the event). Inother cases, a more rigorous investigation may be performed, forinstance by an event manager.

FIG. 7 illustrates an exemplary method 700 detailing various proceduresthat may be undertaken as part of the investigation. At block 705, theIP address of the server referenced by a URL included in the message maybe acquired via any of several well-known methods, such as a DNS query(or, if the URL refers to an IP address instead of a hostname, the URLitself).

In addition, an apparent address for the server referenced by the URLmay be identified. Those skilled in the art can appreciate that a URLmay be associated with an “anchor,” which can be text, an image, etc.,such that the anchor appears to be the address for the server referencedby the URL, while the actual URL remains hidden to a casual observer.(In other words, the user may select the anchor in a web browser, emailclient, etc. to be redirected to the server referenced by the URL). Inthis way, the anchor may comprise an “apparent address” that actually isdifferent than the address referenced by the URL. Both the apparentaddress (e.g., the address in the anchor) and the address of the serverreferenced in the URL (i.e., the actual address in the URL) may comprisea hostname (usually including a domain) and/or an IP address. Inaddition, the anchor may comprise an identifier for a trusted entity (abusiness name, etc.) If the apparent address is different than theaddress actually referenced by the URL (and/or the apparent addresscomprises an identifier for a trusted entity while the address actuallyreferenced by the URL is not associated with that trusted entity), itmay be more likely that the URL is fraudulent and/or that the serverreference by the URL is engaged in fraudulent activity.

The method 700 may also comprise investigating information about thedomain to which the URL resolves (block 710), for instance through adomain WHOIS query. This information can show the owner of the domain,the assigned name server for the domain, the geographic location of thedomain and administrative contact information for the domain. Inaddition, information about the IP block to which that domain should beassigned can be investigated (block 715), which can elicit similarinformation to the domain WHOIS query, as well as an indication of whichIP block the domain should relate to. Further, the domain informationreferenced by the URL can be verified (block 720), for instance bycomparing the IP address obtained through the DNS query (or via the URL,if the URL contains an IP address instead of a hostname) with the IPblock to which the domain should belong. Any discrepancy in the domaininformation can indicate that the domain has been spoofed in themessage, providing further evidence that the message is likely aphishing attempt.

At block 725, the server to which the URL refers can be interrogated,using a variety of commercially-available tools, such as port scanners,etc. In some embodiments, the NMAP application and/or the Nessusapplication may be used to interrogate the server. In a particular setof embodiments, these tools may be incorporated into a proprietaryapplication (which may also perform other investigation, as discussedabove) to provide more robust interrogation of the server. Theinterrogation of the server can indicate what services the server isrunning (which can provide some indication of whether the server isengaged in fraudulent activity). For instance, if the server isaccepting HTTP requests on an unusual port, that service may (or maynot) indicate that the server is engaged in fraudulent activity. Theinterrogation of the server may also show security vulnerabilities,which can indicate that the server may be compromised and therefore maybe engaged in fraudulent activity without the knowledge of the serveroperator. In addition, the route to the server may be traced in awell-known manner, providing more information about the server, itslocation, and the domain/IP block in which it resides.

Interrogating the server can include downloading some or all of the webpages served by that server (using, for example, the WGET command and/orany other HTTP GET function) (block 730), especially any pages thatappear to masquerade as pages on other servers (spoof pages). Thedownloaded pages may be analyzed to determine whether the pages requestany personal information and/or provide fields for a user to providepersonal information (block 735). Further, downloaded pages may bearchived (block 740), which can allow a technician and/or the customerto view the pages to assist in any necessary human evaluation of whetherthe pages actually are fraudulently requesting personal information. Insome cases, a representation of the pages may be saved, as described indetail herein.

Finally, an event report may be generated (block 745). The event reportmay include any or all of the information obtained through theinvestigation, including any archived pages. The event report may beconsulted by a technician and/or provided to a customer to assist informulating a response strategy. In some cases, a redacted version ofthe event report may be provided to the customer.

Returning once again to FIG. 6, the results of the investigation may bereported (block 615), for instance by displaying a copy of the eventreport to a technician at a monitoring center (or any other location).Optionally, the technician may analyze the report (block 620) to providea reality check on the information obtained in the investigation and/orto formulate a response strategy. The customer may be notified of theevent and/or of the investigation results (block 625), by an automatedemail message, phone call from a technician, etc. The technician mayalso confer with the customer (block 630) to allow the customer to makea decision with respect to how to respond to the attempted fraud.Alternatively, a customer profile may indicate that a specific responsestrategy should be pursued, such that the customer need not be consultedbefore formulating a response strategy.

If the investigation and/or event report indicates that the server isengaging in fraudulent activity, the method 600 can include respondingto the fraudulent activity. Any such response may be initiated and/orpursued automatically and/or manually (i.e., at the direction of atechnician). Responses can take a variety of forms. Merely by way ofexample, the customer, customer policy and/or technician may determinethat an administrative response (block 635) is appropriate. Anadministrative response can include any response that does not involve adirect response against the server. For example, one possibleadministrative response is notifying the ISP hosting the server and/orthe registrar for the server's domain that the server is engaged infraudulent activity. Another administrative response could be notifyinglegal authorities about the fraudulent activity and/or preparingevidence for a case under the Uniform Domain-Name-Dispute ResolutionPolicy (“UDRP”). If the investigation reveals that the server may havebeen compromised, an administrative response can include notifying theserver operator (perhaps via contact information obtained during theinvestigation of the event) that the server has been compromised and/orproviding advice on how to secure the server to avoid futurecompromises.

In addition (or as an alternative) to administrative responses, it maybe desirable to pursue a direct technical response against the server(block 640). FIG. 8 illustrates an exemplary method 800 for pursuing atechnical response against a server. The method 800 can include parsinga spoofed web page to identify fields in which a user may providepersonal information (block 805). Those skilled in the art willrecognize that an online form (such as an HTML form, etc.) comprises oneor more fields, and that those fields generally include a labelindicating the information that should be entered. In accordance withsome embodiments, therefore, a set of requested fields from the web pagemay be analyzed (block 810); for instance the label accompanying eachfield can be analyzed to determine whether the field requests personalinformation, and in what format the information should be submitted.This analysis can include a search for common words, such as “firstname,” “credit card,” “expiration,” etc., as well as an analysis of anyrestrictions imposed by the field (e.g., data type, length, etc.) A setof “safe” data may be generated to populate the fields requestingpersonal information (and/or any other necessary fields) (block 815). Insome cases, the safe data can correspond to a safe account, as discussedabove. In any event, the safe data can comprise data that appears to bevalid (and in fact may be valid, in that it corresponds to a validaccount) but that does not pertain to any real account holder or otherperson. The safe data can be drawn from a database and/or dictionary ofsafe data (e.g., fictitious first and last names, addresses, etc.)and/or generated algorithmically (e.g., account numbers, credit cardnumbers, expiration dates, etc.) and/or some combination of the two.

Based on the analysis of the requested fields, the safe data can bemapped to the requested fields (block 820), such that the data isformatted to appear to be actual personal information for a user. Merelyby way of example, if a field requests a credit card number, safe datarepresenting an apparently valid credit card number (e.g. a sixteendigit number starting with a “4,” which would appear to be a valid Visa™credit card number) can be mapped to that field. A responsive messagemay be generated and/or formatted to look like a filled-out form fromthe spoofed web page (block 825) and then may be submitted to theserver. This process can be repeated as necessary, creating a pluralityof “safe” responses.

In many cases, a phisher will attempt to filter responses, in order toavoid the deleterious effects of safe data on his collection of acquireddata, to avoid the snare of “marked money” (which is discussed infurther detail below), and/or for other reasons. Phishers may attempt touse a variety of devices to filter received responses. One type offiltering involves the examination and/or filtering of responses from aparticular IP address and/or domain (or set of addresses/domains) thephisher suspects might not be real responses to the phishing scam.Methods of the invention can implement countermeasures, includingwithout limitation those discussed below, to avoid this type offiltration.

One type of filtration can be loosely termed “data verification,” and itinvolves the use of various techniques to check the submitted responsesfor consistency. Merely by way of example, if the phisher's web sitecollects data that is formatted according to a standard (which may be anindustry standard, a published standard, etc.), the phisher mayimplement controls (which can be software applications and/or portablesoftware residing on the phisher's web server, in the phish email, etc.)to check submitted responses for consistency with such standards. Toavoid filtration of safe responses, therefore, the method 800 canimplement countermeasures such as identifying and/or evaluating any suchstandards that may be applicable (block 830). For example, the method800 can include evaluating each of the response fields to determinewhether any standards apply to that field, and if so, determining howthe standard is implemented. Merely by way of example, as discussedabove, credit card networks have developed standards for ensuring theconsistency and/or validity of credit card numbers. If a field asks fora credit card number, therefore, the method 800 could includeidentifying the proper standard for appropriate responses. Similarstandards exist for bank routing (“RTN”) numbers, etc. As another,perhaps simpler, example, if a web site requires the submission of anemail address, the method 800 can include identifying the requirementsfor a valid email address (e.g., user@domain.tld). (Other proceduresinvolving the validation of email addresses are discussed below.) Insome cases, therefore, the system may comprise logic and/or datastructures for identifying common field types and/or correlating thosefield types with the appropriate standard for data submitted in responseto those field types.

Phishers sometimes also use one or more embedded tests to validateresponses, and the method 800 therefore can comprise countermeasures todefeat such embedded tests. Such countermeasures can include withoutlimitation identifying and/or analyzing such embedded tests (block 835).Merely by way of example, the web server and/or the email message mayinclude portable code (such as a Java applet, a JavaScript, a CGIapplication, etc.) and/or other devices designed to track, identifyand/or ignore responses not generated as a result of a phish mailingand/or sent repetitively. Such devices can include, again merely by wayof example, counters, timers, cookies, hash values and/or the like.Identifying and/or analyzing such devices can include scanning/parsingan email message and/or web site for the existence of such code,downloading such code and/or executing the code in a sandbox todetermine how it operates, and/or reverse-engineering the code todetermine how responses are validated. As a simple example, a web sitemight set a cookie that identifies a particular computer, such thatmultiple responses from that computer may be identified and/or filteredby the phisher. Identifying and/or analyzing this device can compriseexamining the contents of the cookie, so that a modified cookie (whichcould, for example, change and/or remove the identifying information)could be sent with each response. In other cases, the device mightinclude a counter that is incremented for each access to the web sitefrom a particular computer, and that timer might be identified so thatappropriate countermeasures could be taken. In yet other cases, a timermight be implemented to prevent a plurality of responses being sentwithin a certain time frame, and/or a hash algorithm may be applied toresponses, etc., e.g., to identify the responses.

In other cases, a phisher may attempt to validate responses based oninformation about and/or contained in a phish email designed to triggerthe response, often requiring the response to comport in some fashionwith the email to which it responds. Such strategies can be said toinvolve “round-trip” information; that is, certain data is sent by thephisher in the email address, and corresponding data is expected to bereturned on the “round trip” to the web server. These techniques can beused, for example, to filter responses that do not appear to correlateto any email sent by the phisher, on the assumption that such responsesare bogus and/or comprise safe data. Accordingly, the method 800 cancomprise countermeasures to defeat attempts by the phisher to user suchround-trip information to filter responses. Such countermeasures caninclude, for instance, identifying and/or analyzing any such “roundtrip” information (block 840). Round trip information may be identifiedand/or analyzed through a variety of procedures.

Merely by way of example, a phisher may retain a list of addresses towhich a particular phish message was sent and also require responses toinclude an email address. The phisher can then filter responses by emailaddress, such that any responses listing an email address not include onthe list maintained by the phisher are considered bogus. Alternatively,the phisher may include a response code in each of the phish messagesand require responses to provide the response code, then filtering anyresponses that do not include the response code. (In particular cases,the response code may be keyed to the day of the phish transmission, tothe address to which the phish message was transmitted, and/or any othervariable, for instance by using portable code in the phish message,and/or analyzing the round trip information can comprising analyzingsuch portable code, in a manner similar to that discussed above.)

Identifying and/or analyzing such round trip information can includeanalyzing the phish message and/or the response web page; in many cases,a comparison of the phish message and the response web page will revealthe use of round trip information. Further, a collection of phishmessages (each of which, perhaps, being collected by a honeypot, asdescribed above, and/or by another method) can reveal similaritiesand/or patterns that allow for the identification and/or analysis ofround trip information. Merely by way of example, the recipientaddresses on a plurality of phish emails appearing to originate from acommon email “blast” may be compared to find commonalities and/ordifferences (in recipient addresses and/or domains, in response codes,in included portable code, etc.). This comparison can help in theformulation of responses that will not be filtered by the phisher.

In particular cases, a phisher may use one or more of the abovetechniques in an attempt to filter responses. Moreover, since phishersoften operate their web sites on compromised servers (as discussedabove), phishers often have incentives to make their filteringprocedures as “lightweight” as possible, to avoid imposing a significantload on the compromised server (which could alert the operator of theserver to the compromise, for example). Hence, phishers often attempt togeneralize their filtering techniques to allow for more efficientsearching. Merely by way of example, instead of filtering for particularemail addresses corresponding to transmitted phish emails, a phisher maylimit a particular spam burst to addresses at a single domain, such as“aol.com” (or a plurality of selected domains) and require an emailaddress as part of responses submitted to a corresponding web site. Anyresponses listing an email address with a domain different than thedomain to which the email blast is addressed may then be filtered. Thisprocedure may prove to be significantly more efficient (from a computingresources standpoint) than actually comparing individual emailaddresses. The procedures of identifying round trip information (and/orany other devices) may reveal patterns indicating such “shortcuts,”and/or these shortcuts may be exploited in forming responses. Merely byway of example, if an analysis of a collection of phish emails indicatesthat a particular blast was directed to users at a particular domain, itmay be the case that any response using providing an email address inthat domain (and/or appearing to originate from a host in that domain)will be accepted by the phisher's filtering procedures.

Hence, the method 800 can include ensuring (block 845) that responses tobe transmitted to the phisher's web server meet criteria identifiedand/or analyzed in blocks 830-840 (and/or any other identifiedvalidation criteria). Based on the disclosure herein, one skilled in theart will appreciate that ensuring the responses meet a given criteriawill often be highly on the nature of the identified criteria. Merely byway of example, if the criteria is that a particular returned value mustconform to an industry standard (such as a credit card number, forexample), the method 800 likely would include ensuring that allresponses included validly-formatted credit card numbers. As anotherexample, if analysis of round trip information indicates that the phishemail blast appears only to have transmitted messages to users at acertain domain and/or ISP, the method 800 could ensure that allresponses submitted include an address associated with that domain. Asyet another example, if an embedded test is identified (for example, byreverse engineering portable code, as discussed above), the method 800can ensure that each response will be considered valid when evaluated bythat portable code (for example, by creating responses compliant withthe code and/or by executing the code on the response beforetransmission to the web server to test the result).

Hence, the method 800 can include countermeasures designed to circumventany filtering techniques (and, in particular, any content-basedfiltering techniques) implemented by the phisher. It may be noted thatthe procedures discussed with respect to blocks 830-845 have beenillustrated as occurring after responses have been formatted (block825). In some embodiments, however, it may be relatively more efficientto perform these procedures at other points in the method 800, such asbefore generating safe data (block 815) and/or before formattingresponses (block 825).

Safe responses (and/or any other appropriate response and/or request,which could include, for instance, generic HTTP requests, other types ofIP communications/packets, etc.) may be submitted to the server in anumber and frequency determined by a response strategy. For instance, a“respond to confuse” strategy may be employed, whereby relatively fewsafe responses are submitted to the server (block 850). This strategycan have the effect of introducing invalid data into the server'sdatabase, thereby causing uncertainty for the phisher about which of thedata collected actually represents valid personal information that canbe exploited and which of the data collected is mere garbage. This alonecan significantly affect the profitability of a phishing scam and may besufficient to prevent the phisher from exploiting significant amounts ofvalid personal information received from actual consumers. In addition,if the safe data is associated with a safe account, and the phisherattempts to exploit the safe data, the phisher's use of that data can betraced, and an evidentiary trail of the phisher's activities can becompiled, aiding the identification of the phisher and possiblyproviding evidence for a civil litigation or criminal prosecution.

If desired, a “respond to impede” strategy can be pursued (block 855).In this strategy, safe responses can be transmitted in greater numbersand/or at a greater rate. Safe responses can also be sent from aplurality of response computers, which can reside in different domainsand/or IP blocks, preventing easy detection by the phisher of whichresponses comprise safe information (and are therefore useless to thephisher). In addition to the benefits of the “respond to confuse”strategy (which are in fact magnified under this strategy), the “respondto impede” strategy may signal to the phisher that his scam has beendiscovered, possibly providing a deterrent against continuing with thescam.

If a more aggressive response is desired, a “respond to prevent”strategy may be undertaken (block 860). The respond to prevent strategycan involve transmitting large numbers of safe responses at a high ratefrom numerous, possibly widely-distributed, response computers. In fact,response rates can be sufficiently high to effectively prevent theserver from being able to accept any substantial quantity of realresponses from actual consumers or others, effectively terminating thescam. This strategy can be pursued until the server stops acceptingresponses, and may in fact be continued in case the server once againbegins accepting responses.

Finally, in some cases, a “respond to contain” strategy may be employed(block 865). This strategy involves submitting sufficient HTTP requeststo a web server operating a spoof scam to effectively disable theserver's ability to service requests. Those skilled in the art willappreciate that typical web servers often implement a connection table,which tracks and limits the number of HTTP connections the server mayservice at any given time. In accordance with embodiments of theinvention, therefore, sufficient simultaneous HTTP requests may besubmitted (perhaps by a distributed systems of computers, as describedabove) to “fill up” the web server's connection table and therebyprevent the server from accepting any more requests. This process may becontinued indefinitely until the fraudulent web site is removed. TheHTTP requests may comprise safe responses (as described above) but, inthis case, need not. Any generic HTTP request (such as an HTTP GETrequest) generally will suffice to create a connection and therebyoccupy an entry in a connection table.

It is worth noting that this technique is different from a generalizedattack (e.g., the transmission of an overwhelming number of IP packets)on the system/network from which the online fraud is being perpetrated,in that the number of HTTP requests required to fill a connection tablegenerally will not be high enough to have a significant impact on thenetwork infrastructure. Further, the system running the web servergenerally will remain otherwise available—it simply will not be above toservice HTTP requests. In this way, the fraudulent activity may beimpaired or prevented without causing excessive collateral damage tonetwork infrastructure, etc. Of course, a generalized attack (of anyvariety) could also be used to accomplish this purpose, but such attacksmay be infeasible in some cases, e.g., due to ethical and/or politicalconsiderations.

If desired, the use of responsive information may be traced (block 870).As described above, safe responses can comprise information (such asapparently valid credit card numbers) that is not associated with anyreal user. If the perpetrator of a scam attempts to use suchinformation, the use of that information may be traced to identify theperpetrator. Merely by way of example, if the customer is a bank orcredit card issuer, an account associated with a “safe” account numbercould be opened (or the “safe” account number could otherwise bemonitored), and any attempts to access that account (e.g., attemptedwithdrawals or credit card authorizations) could be flagged for furtherinvestigation. This use of “marked money” has been used by authoritiesin other contexts, such as providing marked cash to bank robbers, thentracing the bank robbers by following the trail of the marked money asit is spend or otherwise distributed. Similar concepts may beimplemented in accordance with embodiments of the invention, using thetechnologies described herein.

Sophisticated phishers may also attempt to filter responses according tothe origin of the responses. Merely by way of example, if a phisherdetects multiple responses from a single IP address (and/or from a rangeof similar IP addresses), from a single domain, etc., that phisher mayfilter responses from that IP address/range/domain, on the theory that aplurality of responses from a single location indicate that someone hasdiscovered his scam and is attempting to identify him, submit saferesponses, etc. Hence, the method 800 can include one or more proceduresdesigned to defeat such attempts by the phisher. Merely by way ofexample, one strategy described above involves the use of multiplecomputers and/or multiple IP addresses to transmit responses indistributed fashion. In some cases, it may be advantageous to provide adiversity of IP addresses (which may be from different address blocks,etc.) to impede the phisher's ability to identify responses generatedaccording to methods of the invention.

One strategy for transmitting a from a plurality of diverse IP addresscan comprise acquiring a plurality of diverse P addresses (block 875),for instance by purchasing (or otherwise obtaining) relatively“disposable” or temporary IP addresses from a plurality of providers,for instance, by opening accounts with a plurality of different ISPs. Insome cases, it may be advantageous to obtain IP addresses associatedwith (e.g., assigned to) retail ISPs, such as MSN, AOL, etc., becauseresponses from such addresses may be assumed to originate fromconsumers, often the prime target of a phisher. (A retail ISP can beconsidered any ISP that provides Internet connectivity to consumers, asopposed to those ISPs that provide connectivity and/or other servicesmerely to businesses.) In some cases, arrangements may be made with suchISPs simply to use addresses temporarily. The method 800, then, canfurther include assigning each of the plurality of IP addresses to acomputer (and/or other device) configured to generate responses, e.g.,in accordance with methods of the invention, and/or to transmit suchresponses to the phisher's web server (block 880). In some embodiments,each of these computers may be logged on to an appropriate ISP (e.g.,the ISP with which the assigned IP address is associated) in order touse the IP address, such that any responses transmitted by the computerswill be transmitted via the ISP. Further, in certain embodiments, thesecomputers may be controlled by one or more central computers. In otherembodiments, the responses may be generated at one or more centralcomputers and then transmitted to the computers assigned the pluralityof IP addresses, which could then forward the responses (perhaps withsome modification), such that the responses appear to originate fromthese computers/IP addresses.

Another strategy which can be employed in accordance with embodiments ofthe invention is the use of a megaproxy (or similar technology) (block885) to provide responses from a single computer (or set of computers),but wherein each of the responses appears to originate from a differentIP address, domain and/or network block. Examples of such procedures aredescribed in U.S. Prov. Pat. App. No. 60/610,716, already incorporatedby reference herein. Using these and similar procedures, a group ofrequests may be made to appear as originating from a variety of sources,frustrating the phisher's attempts to filter the responses and/orforcing the phisher to block actual consumer responses in attempting toblock safe responses generated in accordance with methods of theinvention.

Merely by way of example, FIG. 9A illustrates a system 900 that may beused to submit responses to a phishing scam. The system 900 works byusing one or more network blocks (e.g., blocks of IP addresses) assignedto one or more entities 905, which can include, in some cases, majorconsumer ISPs, such as Comcast, America Online (“AOL”), the MicrosoftNetwork (“MSN”), etc. The network blocks may be “donated” by theseentities for use in an anti-phishing solution. (Although the term“donated” is used herein for ease of description, one should not inferthat title to the network blocks necessarily is transferred to thesecurity provider or that the blocks are provided without remuneration.In some embodiments, for example, a security provider may purchase orlease blocks for use in accordance with embodiments of the invention, orthe blocks may be temporarily loaned to the security provider for suchuse. In other embodiments, the ISP need not even be aware of the purposefor which the blocks are to be used—those skilled in the art willappreciate that the allocation of dedicated network blocks from an ISPto a business for that business' use is commonplace.)

The donated blocks may be relatively permanently assigned to a securityprovider, etc. and/or may be assigned on an ad hoc basis. Such blocksmay be provided by these entities 905 via interior routing protocols,and/or a record of the donated blocks may be stored in a database 910,for use by the anti-fraud system 900. The anti-fraud system 900 can alsoinclude a network meet-me center 915, which can be any facility thatprovides an opaque connection between the network blocks and the rest ofthe Internet (and in particular, the perpetrator of online fraud). Themeet-me center 915 can provide the ability to submit a plurality ofresponses/requests 930 (e.g., HTTP POST or HTTP GET commands) to ascammer's server 250. By way of example, the responses 930 may besimilar to the responses discussed above.

The meet-me center 915 may comprise a dilution engine 920, which mayfunction in similar fashion to the dilution engines described above.(Alternatively, the meet-me center 915 may be in communication with adilution engine maintained by a security provider, perhaps as part of asystem such as the system 100 in FIG. 1A and/or the system 200 of FIG.2.) Merely by way of example, the dilution engine 920 may be a softwareapplication that is designed to create and/or format theresponses/requests 930 (perhaps in the manner discussed above), as wellas a mega-proxy 925, which can make the responses/requests 930 appear tobe originating from any of the IP addresses contained within the networkblocks stored in the database 910. In operation, therefore, the dilutionengine 920 may compose many responses/requests 930. As described in theabove, these requests/responses 930 may be formatted to appear aslegitimate responses to the phishing scam and/or may simply be genericrequests designed to occupy the server's ability to service otherrequests. The mega-proxy 925 will forward those responses/requests 930,using any appropriate address (e.g., an IP address within the blocksstored in the database 910, as described above) as the originatingaddress, to the spoofer's website 940. As noted above, theresponses/requests 930 can be designed to feed incorrect personalinformation to the website 940 and/or merely to occupy the website andthereby impede its ability to defraud others. The scammer may use afilter 935 (such as a firewall application configured to blockcommunications from particular IP blocks, domains, etc.) to attempt toblock the responses/requests 930, but this will prove problematic forthe scammer, for one or more of the following reasons.

First, since the responses/requests 930 will appear to be originatingfrom a variety of different IP addresses (and, in many cases, from avariety of different domains and/or ISPs, it will be difficult for thescammer to determine which of the responses/requests it receives arefrom the system 900 and which are from ordinary consumers. While in somecases, it may be technically possible to determine whichresponses/requests are from the system 900, making such a determinationusually will involve relatively expensive equipment and significantprocessing power, and those skilled in the art will appreciate thatonline fraud schemes are often operated by those without the financialresources to invest in such equipment. In addition, because many onlinefraud sites are operated on compromised servers operated not by thescammer but by an innocent third party, it often will be difficult forthe spoofer to marshal the required computing resources to performin-depth analysis, at least without alerting the owner of the server tothe compromise.

Further, even if the scammer is successful at identifying therequests/responses 930 from the system 900 and manages to block some ofthese requests/responses 930, the fact that those requests/responses 930often will appear to be originating from major consumer ISPs (e.g.,905), the scammer will be in the difficult position of having to blockIP addresses associated with the scammer's prime target: the averageconsumer. In this way, the system 900 can provide multiple benefits, notonly making it difficult and/or expensive for the scammer to block therequests/responses 930, but also using the scammer's attempts to blockthe requests/responses 930 against the scammer, by causing the scammerto block network blocks that also include addresses assigned to ordinaryusers, thereby blocking responses from the very people the scammer hopesto attract.

FIG. 9B 950 illustrates a method of submitting responses to a webserver. The method may be implemented in using a system such as thesystem 900 of FIG. 9A, although the methods of the invention are notlimited to any particular hardware or software implementation. Themethod 950 can include acquiring one or more IP blocks (block 955) (thatis, blocks of available IP addresses). As noted above, it may be usefulin some cases for the IP blocks to be acquired from a plurality of ISPs(including retail ISPs), in order that responses generated by the method900 appear to originate from within such ISPs (and, in particular cases,from customers of the retail ISPs, such as consumers). Variousstrategies for acquiring IP blocks are discussed above, and any of thesestrategies may be used in accordance with embodiments of the invention.In accordance with some embodiments, a record of the acquired IPaddresses and/or blocks may be stored (e.g., in a database) (block 960).

The method 950 can further include providing a mega-proxy (such as, forexample, a mega-proxy similar to the mega-proxy 925 described withrespect to FIG. 9A) and/or any other device or software applicationcapable of transmitting IP packets (and, in particular cases, HTTPrequests) that appear to originate from a variety of different sources(block 965). Providing a mega-proxy can comprise situating themega-proxy at a network meet-me center, which can be, for instance, apeering facility that provides the ability for multiple ISPs tocommunicate using interior routing protocols. In other embodiments, themega-proxy can be situated elsewhere, so long as the mega-proxy is ableto transmit packets using the acquired IP addresses.

Once an illegitimate web site is identified (block 970), for instance,using the methods discussed above, a response (e.g., an HTTP request)may be created, using, for example, the methods discussed above (block975). The mega-proxy then can obtain an IP address (for example, bysearching a database of acquired IP addresses) (block 980), and transmitthe response to the illegitimate web server (block 985), such that theresponse originates from the IP address obtained by the mega-proxy. Thisprocess may be repeated for a plurality of responses (as indicated bythe broken line in FIG. 9B). In some cases, a new IP address may beobtained for each response to be transmitted. In other cases, aparticular IP address may be used to transmit a plurality of responses.In this manner, a plurality of responses (which may, in some cases,comprise “safe” data as described above) may be transmitted to theillegitimate web server.

Returning now to FIG. 8, another strategy for responding to anillegitimate web site can implement “proxy chaining” (block 885). Proxychaining involves the transmission of response packets through a varietyof proxy servers before their final transmission to the phisher's webserver. In one embodiment of proxy chaining, a fraud-prevention system(such as the system 100 described above) can include connections to avariety of different ISPs (and, in particular, retail ISPs), via aplurality of dedicated connections, modem connections, etc. Responsesmay be sent through such connections, thereby utilizing the proxyservers of these ISPs to actually submit the request on behalf of thefraud-prevention system. When the phisher receives the responses, theresponses will appear to originate from those retail ISPs, preventingthe phisher from determining (and thus from easily being able to block)the actual machines from which the responses originated. In anotherembodiment, request may be sent through a plurality of proxy servers,perhaps in serial fashion, making it even more difficult for the phisherto determine the origination of the responses.

FIG. 10 illustrates a system 1000 that can be used to submit responsesusing a proxy-chaining strategy. The system 1000 comprises a fraudprevention system 1005, which can be similar to the systems illustratedby FIGS. 1A, 2 and/or 11 (and/or can include components similar to thosedescribed with respect to those systems), and/or can perform variousmethods of the invention. In particular, the fraud prevention system1005 can be configured to carry out a technical response (such as adilution response) against an illegitimate web server 250. The fraudprevention system 1005 may include one or more proxies 1010, which asone skilled in the art will appreciate, can be used to forward responsesfrom the fraud prevention system 1005. The proxies 1010 can be SOCKSproxies, HTTP proxies, CGI proxies and/or any other type of Internetproxy known in the art.

As those skilled in the art will appreciate, a proxy can be used todisguise header information that may be used to identify a computer(such as a dilution engine and/or a response computer) that createsand/or formats responses for transmission to the illegitimate web site250. In some embodiments, the proxies 1010 can be used to transmitresponses directly to the web site 250. In such embodiments, however,the proxies 1010 may be identified by a scammer as part of a fraudprevention system 1005 (since they will be transmitting the dilutionresponses, for example, to the server 250). To prevent suchidentification, the responses may be transmitted by the fraud detectionsystem 1005 (either through the proxies 1010 or directly) to otherproxies for transmission to the server 250.

Merely by way of example, the fraud prevention system 1005—and/or an ISP(not shown) hosting the fraud prevention system 1005—may have a peeringrelationship (as is known in the art) with one or more data centers 1015(which may themselves be ISPs and/or hosted by ISPs). The responses maybe transmitted to these data centers 1015, either through a directpeering connection or via the Internet 205, and the data centers 1015may transmit these responses to the server 250, often through their ownproxies 1020.

The proxies 1020, like all of the proxies discussed herein, can beanonymous proxies. Further, in certain embodiments, the proxiesdiscussed herein may be “distorting” proxies, which can omit and/orsubstitute false or pseudorandom data into certain fields in HTTPrequests (which can comprise the dilution responses), such as the“HTTP_VIA” and “HTTP_X_FORWARDED_FOR” fields, thereby disguising thefact that they are serving as proxies and/or obscuring the fraudprevention system 1005 (and/or components of that system) as the actualsources of the HTTP requests. The data center proxies 1020 (and otherproxies discussed herein) thus can serve to “anonymize” the responsesvis-a-vis the fraud prevention system, further isolating the fraudprevention system 1005 from detection by the server 250 (or an operatorof a scam on the server 250).

In accordance with other embodiments of the invention, the fraudprevention system 1005 may incorporate a private branch exchange (“PBX”)system 1025 (and/or any other means of providing one or more availabletelephone (POTS, ISDN or other) lines in communication with the fraudprevention system 1005. The PBX 1025 may be in communication with amodem pool 1030 (or similar device) and thus can be used to providecommunication with one or more ISPs 1035, as indicated by the brokenlines on FIG. 10. (In other embodiments, other means for providingcommunication with the ISPs 1035 may be used as well). Responses,therefore, may be routed through one or more ISPs 1035 (and, in someembodiments, transmitted to one or more proxies 1040 operated by theISP(s) 1035), which would forward the responses to the server 250. Insome cases, one or more of the ISPs 1035 may be retail ISPs, providingthe additional benefit of making the responses appear to originate fromconsumer customers of the ISPs, as discussed above.

In particular embodiments, the fraud prevention system 1005 may beconfigured to route responses through a plurality of proxies (includingany of the proxies 1010, 1020, 1040 depicted on FIG. 10) using aproxy-chaining technique. Merely by way of example, a response such asan HTTP request might be transmitted from the fraud prevention system1005 to a data center 1015 a (perhaps via a proxy 1010 a), where therequest is forwarded by the data center's proxy server 1020 a to anotherdata center 1020 b (or, alternatively, to an ISP 1035 a), where anotherproxy server 1020 b forwards the request to the web server 250 (theforwarding between links in the proxy chain can be done via a peeringconnection, modem connection, the Internet, etc.). This technique can,under some circumstances, provide more comprehensive “anonymizing” ofthe responses, making it relatively more difficult for the web server250 (and/or a scammer using the web server 250) to identify the sourceof the responses. Further, in some embodiments, the proxy servers 1010of the fraud prevention system 1005 (and/or other components of thesystem 1005, such as dilution engines, response computers, etc., whichare not shown on FIG. 10), can be configured to distribute a pluralityof responses among various proxies (e.g., 1020, 1040), randomly, inrotation, etc., to further disguise the source of the responses.

Hence, various embodiments of the invention provide several differentprocedures to circumvent filtering or blocking techniques (whether basedon the content of the responses or the origination of those responses).These procedures, which may be used separately or in any combination,make it difficult for the phisher to separate responses submitted byactual, scammed consumers from responses generated by methods of theinvention. In this way, the response and/or “marked money” techniquesdiscussed herein, as well as other anti-fraud processes, may beimplemented more effectively.

In another set of embodiments of the invention, a monitoring appliancecan be used to provide notice of a phishing scam (or other illegitimateuse of a customer's online identity) through messages received by thecustomer's system. FIG. 11 illustrates a system 1100 that may be used toidentify such an event, and FIG. 11B illustrates an exemplary method foridentifying such an event.

Merely by way of example, the system 1100 of FIG. 11 can be configuredto capture, inter alia, phishing events, in some cases, at a relativelyearly stage in the phishing scam (i.e., when phish messages originallyare transmitted to prospective victims and/or participants in thephishing scam). The system 1100 be configured to operate, in somerespects, similarly to the system 200 described with respect to FIG. 2.(It should be noted that the system 1100 of FIG. 11 may includecomponents similar to those of the system 200 of FIG. 2, although, forease of illustration, not all components are shown on FIG. 11.) A systemsimilar to the system 1100 is described in detail in commonly-assigned,U.S. Prov. App. No. 60/610,715, already incorporated by reference.

Those skilled in the art will appreciate that, when perpetrating aphishing and/or spoofing scam, a scammer often will generate bulk emailtransmissions, seeking (for example) to induce recipients to log ontothe scammer's web site, which may be engineered to appear to be thewebsite of a legitimate (and often well-known) business, such as a bank,online commerce site, etc. To enhance the scam, therefore, the scammeroften attempts to replicate and/or imitate as closely as possible anactual email message from the legitimate business. Hence, in many cases,certain fields in the message header (such as, for example, the “FROM:,”“SENDER:,” “RETURN PATH:,” and/or “REPLY-TO:” fields) may be copiedfrom, and/or forged to appear as, corresponding headers from an actualmessage sent by the legitimate business.

Although the inclusion of such false header information may helpscammers to confuse the recipients of such messages, the false headerinformation may also be used to help detect a potential online abuse,such as an attempted fraud. Those skilled in the art will appreciatethat, when a mail server receives an electronic message addressed to anaddress at that mail server, the mail server will attempt to route themessage to a mailbox associated with that message. When there is no suchmailbox, the mail server often will use one or more of these fields(such as, for instance, the “RETURN-PATH:” field) to send a “bounce”message in an attempt to notify the sender of the message that themessage could not be delivered to the address specified in the message.When the message's header information indicates that the legitimatebusiness was the sender of the message, however (as, for example, whenthe scammer wishes to make the message appear authentic), the “bounce”message will be transmitted not back to the scammer, but instead to thelegitimate business.

Moreover, because in many cases, the “bounce” message will have appendedto it a copy of the original message (or a portion thereof) sent by thescammer, significant information may be gleaned from the bounce message,using, for instance, the methods and/or systems described below. Andbecause scammers often send bursts of messages to large groups ofunverified email addresses, there is a relatively high likelihood thatany given burst of messages will include a substantial portion ofundeliverable messages. Hence, an analysis of messages received by thelegitimate business can facilitate the early detection of possibleonline abuses.

The system 1100 of FIG. 11 can be used to for this process. In additionto the components described with respect to FIG. 2, the system 1100 canadditionally feature a monitoring appliance 1105, which may be locatedat the site of a customer 225 in particular embodiments. In otherembodiments, however, the monitoring appliance 1105 may be locatedelsewhere (including at a monitoring center 215, etc.). In accordancewith some embodiments, the monitoring appliance 1105 may comprise ageneral purpose computer (such as the computers described above, forexample), perhaps with software for interfacing with the customer'semail system and/or for performing other tasks described below(including, without limitation, methods of the invention). In otherembodiments, the monitoring appliance 1105 may be a special purposemachine, with hardware, firmware and/or software instructions forperforming these tasks.

The monitoring appliance 1105 may in communication with the customer'semail system 1110. The legitimate business, (i.e., the customer) may beany entity that is concerned about phishing scams (or otherwise wouldlike to be aware of mailings purporting to originate from thatbusiness), including without limitation an organization that has anonline presence and/or would be expected to communicate with consumers,members, etc. via email (such as, for example, a bank, an onlinecommerce web site, an online auction site, etc.). The email system 1110can include, without limitation, an SMTP server, a POP3 server, a mailtransfer agent (“MTA”), and/or any other commonly-available email serverand/or client software. Standard email systems may be used in accordancewith some embodiments of the invention. In other embodiments, the emailsystem 1110 may be specially-configured (e.g., to integrate with themonitoring appliance 1105).

The monitoring appliance 1105 may be operated by the customer and/or maybe operated by a third-party, such as a security service provider, etc.The monitoring appliance 1105 may be situated in proximity to the emailsystem 1110 and/or may be remote from the email system 1110, so long asit is in communication with the email system 1110. In accordance withsome embodiments, the monitoring appliance may be in communication withand/or integrated with an email gateway, MTA, SMTP server, etc. suchthat the monitoring appliance has access to every email message incomingto the email system 1110. (In particular cases, the monitoring appliance1105 may be embodied by a modification to a standard mail systemcomponent, so that the monitoring appliance 1105 is in fact part of theemail system 1110). In other cases, the system 1100 may be configured sothat the email system 1110 (and/or a component thereof) sends copies ofparticular messages (e.g., messages meeting certain criteria that mightidentify those messages as “bounce” messages) to the monitoringappliance 1105.

The monitoring appliance 1105 may be in further communication with(and/or incorporate) a fraud prevention and/or detection systemconfigured to analyze received email messages, including for example, amaster computer 210, monitoring computer 220, and/or any other systemcomponents described with respect to FIG. 2. Hence, the monitoringappliance 1105 may be in direct or indirect communication with acorrelation engine (such as, for example, the correlation engine 125described with respect to FIG. 1A) and/or an event manager (such as theevent manager 135 of FIG. 1A), either or both which can be used toanalyze email messages, including in particular “bounce” messages,received by the email system 1110, perhaps using methods described infurther detail below. The correlation engine, which may be (but need notbe) part of a larger fraud detection and/or prevention system, may besituated locally to the customer. In other cases, however, thecorrelation engine may be located off-site. As such, the correlationengine may be managed by a security provider and/or used to analyzeincidents of possible fraud based on data received from a variety ofsources, including without limitation, various customers, other datasources (some of which are described herein), etc.

The following example illustrates one mode of operation of the system1100. In this example, it is assumed that the customer is a bank. Ascammer creates an email message that is addressed to a plurality ofaddresses, some of which the scammer assumes will be customers of thebank. This “original” message appears to be addressed to “a valuedcustomer” and to originate from the bank, and in fact, the return pathof the message lists the bank's email system 1110 (or an addressassociated with the bank's email system) in the “RETURN PATH:” field ofthe message. The scammer uses a mail server 1115 to send this originalmessage to many (perhaps hundreds or thousands) of addresses culled froma spam list maintained by the scammer (or another). (Those skilled inthe art will recognize that a phisher often will use compromised emailservers, open relays, etc. to send phish emails, but for purposes ofthis example, such distinctions are unimportant.) Assuming that one ofthese addresses is <joe_user@user.com>, the scammer's email server 1115will transmit the message to a mail server 1130 associated with the<user.com> domain, for receipt by a user “joe_user.” If “joe_user” isnot known to the <user.com> mail server 1130, that mail server 1130 willattempt to send a return, “bounce” message to the sender of the originalmessage, as discussed above. Because the “RETURN PATH:” field points tothe bank's email system 1110, however, the <user.com> mail server 1130will send the “bounce” message to the bank's system 1110, instead of tothe actual sender (the scammer's email server 1115).

When the bank's email system 1110 receives this message, it can identifyit as a “bounce” message and forward it to the monitoring appliance1105. (Alternatively, the monitoring appliance 1105 could intercept allsuch messages before reception by the email system 1110, if, forinstance, the monitoring appliance is integrated with—and/or serve as—amail gateway and/or an MTA. In yet other embodiments, the monitoringappliance 1105 may access the mail system 1110 to retrieve bouncemessages.) The monitoring appliance 1105 optionally may include astorage medium 1125 (which could comprise RAM, hard disk, one or moredatabases, etc.), for storing such messages (and/or specified portionsof such messages, information about such messages, etc.), for example,to store messages until several have been received, so that messages maybe consolidated, summarized, etc. before transmission and/or can betransmitted in batch format. Merely by way of example, if a plurality ofbounce messages are received, and all relate to a common mass mailing,it may be more efficient to provide one copy of the original message,along with a summary of information (e.g., intended recipient of eachmessage, summary of differences between messages, etc.) about thecollection of bounce messages. The monitoring appliance 1105 may thensend the “bounce” messages (and/or summary information) to a phishdetection/monitoring system (such as the system 100 depicted in FIG.1A), which may be embodied by the system 200 of FIG. 2 and/or componentsthereof, including without limitation a correlation engine, eventmanager, etc. The messages may be sent individually, in batch format, asone or more consolidated messages, etc.

In accordance with some embodiments, the monitoring appliance 1105 maybe configured to parse received messages for certain items, includingwithout limitation uniform resource locators (“URL”) contained in themessages, and may transmit only those parsed items to phishdetection/monitoring system, instead of the entire message. In yetfurther embodiments, some aspects of a correlation engine may beincorporated within the monitoring appliance 1105, such that some (orall) of the analysis of the message occurs at the monitoring appliance1105.

In particular embodiments, the email system 1110 (and/or the monitoringappliance 1105 and/or fraud detection/prevention system) may maintain alog 1120 of mail system errors, including without limitation a record of“bounce” messages and/or information about the bounce messages (e.g.,extracted portions of messages, addressee of original message, etc.).This log 1120 can be searched to determine the errors resulting from“undeliverable” addresses. This information can be used in many ways.Merely by way of example, a feedback loop may be utilized, such that“undeliverable” addresses can be used as bait email addresses for otheranti-fraud operations. For instance, if the “bounce” messages (obtainedfrom one or more customers) indicate that a particular addresses and/ordomain is used often by scammers, it might be desirable to attempt toregister that address and/or domain, thereby ensuring direct receipt ofmail addressed to that address. Such addresses can also be used to planttraceable information for “marked money” operations, as described infurther detail above.

FIG. 11B illustrates a method 1150 of identifying an illegitimate use ofa customer's online identity (such as for example, in a phishing scambased on email messages appearing to be sent from the customer). Themethod 1150 may be implemented on a system such as the system 1100 ofFIG. 11A, although it should be appreciated that the method 1150, likeother methods described herein, may be implemented in any suitablefashion and is not limited to a particular structure. The method 1150can include providing a monitoring appliance (block 1155), such as themonitoring appliances described above. Providing the monitoringappliance can include, in some embodiments, situating the monitoringappliance at a customer location and/or, in other embodiments, providinga correlation engine (described above) or similar functionality in themonitoring appliance. (In other embodiments, as noted above, themonitoring appliance may be situated elsewhere, and in fact may beincorporated within a fraud prevention system, as described above, orcomponents of such a system, such as a correlation engine.) Providingthe monitoring appliance may also include providing communicationbetween the monitoring appliance and the customer's email system.

At block 1160, the customer's email system receives an email message, inthe customary fashion. In accordance with some embodiments, thecustomer's email system may identify the message as a return message(such as a “bounce” message, as described above) (block 1165). At block1170, the message may be forwarded to the monitoring appliance (and/orthe message may be otherwise accessed by the monitoring appliance). Asdescribed above, in some cases, only messages identified as bouncemessages are forwarded to the monitoring appliance. In other cases, thecustomer's email system may be configured to forward all messages (or asubset of messages, such as all messages from unknown senders, etc.). Inyet other embodiments, the monitoring appliance may be configured toaccess the customer's email system directly (by accessing a mail store,a particular email account, an email system log, etc.), such that it maynot be necessary for the email system to forward messages to themonitoring appliance. Similarly, the email system may be configured toforward relevant entries from a log (such as a firewall log, an emailsystem log, etc.) to the monitoring appliance (block 1175), or,alternatively, to forward all log entries (in which case, the monitoringappliance may be configured to parse the log entries for relevantentries). Relevant entries may include any entries that relate to bouncemessages, etc. In other embodiments, as noted above, the monitoringappliance may be configured to access such logs directly, such thatforwarding log entries may be unnecessary.

In some cases, it may be more efficient to extract relevant portions ofmessages (and, in particular, bounce messages) (block 1180), forinstance in the manner described above. Relevant portions can include(without limitation) any portions of a message that can be used toidentify the original message (to which the bounce message is aresponse) as a phish message, any portions of a message that can be usedto identify the original sender of the message, and/or any portions of amessage that can be used to identify the intended recipient of themessage (who may in fact be the target of a phishing scam). Merely byway of example, the headers of the message, any URLs contained in themessage and/or any relevant text from the body of the message(including, in particular, any relevant portion of the original messagereproduced in the body of the bounce message).

Likewise, in some cases, it may be desirable to compile a summarymessage for analysis (block 1185). A summary message can comprise anyconsolidated message that includes the information necessary to analyzea group of messages. The use of a summary message (as opposed to themessages and/or message portions themselves) can, in some case, provideefficiencies in bandwidth used for transmitting messages for analysis,processing cycles and/or time used in analyzing messages, etc. The useof summary messages can be particularly advantageous, for example incases in which the email system receives a plurality of bounce messagesrelated to a single mass-mailing (which could be indicated by the factthat each of the plurality of bounce messages each indicates that therespective original message has a similar “RETURN PATH:” or “FROM:”header, and/or the fact that the respective body portion of each of theplurality of bounce messages reproduces a similar portion of an originalmessage. Various methods for comparing such a plurality of messages,such as checksumming, hashing, etc. all and/or part of messages andcomparing the checksums, hashes, etc. may be used. Other techniques forcomparing messages may be used as well.

In accordance with some embodiments, one or more email messages,portions of messages and/or summary messages (as appropriate) may betransferred to a fraud detection and/or prevention system for analysis(block 1190). Similarly, log entries (or summaries of such entries) maybe transferred. The transfer can be performed by any suitable method,such as FTP, NFS mount, database transaction (e.g., SQL statement), etc.In some cases, messages, logs and/or log entries (and/or portions orsummaries thereof) may be stored local to the monitoring appliancebefore transfer (in order to, for example, allow for batch transfers ona particular schedule and/or upon receipt of a certain number ofmessages, etc.). In particular embodiments, storing the messages maycomprise storing the messages in a database (perhaps with fieldscorresponding to various header fields and/or body text, etc.), suchthat transferring the messages can comprise a database synchronization.Alternatively, the messages may be stored as text files, etc. and/or thetransfer to the fraud prevention system for analysis can compriseimporting such files into an appropriate import transaction (or seriesof transactions) for a database at the fraud prevention system. Asanother example, the fraud prevention system may be configured toperform the methods described above, and/or transferring the messages(or portions, summaries, etc.) can comprise transferring the messages in(and/or converting the messages into) a format suitable for analysisusing such methods, as discussed above. For instance, the messages maybe transferred to a honeypot, and processing of the messages mighttherefore proceed as described above.

Hence, the method 150 can further comprise analyzing the message(s),log(s) and/or log entries (block 1194). As noted, the analysis of themessages may comprise analysis using methods described above.(Similarly, if analysis of the messages, logs or log entries indicates alikely online fraud, the response strategies and/or methods describedabove may also be implemented.) Analysis may be performed by the fraudprevention system (if, for example, the messages were transferred to thefraud prevention system) and/or a component thereof, such as acorrelation engine.

As noted, however, in accordance with other embodiments, the monitoringappliance might comprise a correlation engine, and/or analysis of themessages, etc. (using similar methods) could be performed at themonitoring appliance. In such cases, the results of the analysis couldbe forwarded to an event manager and/or a dilution engine (or similarcomponent), which might be incorporated within a fraud prevention systemand/or might be incorporated within the monitoring appliance, forfurther action, as appropriate.

In particular embodiments, the analysis of the messages, etc. caninclude identifying the intended recipient of the messages (block 1198).This information could be used, for example, to generate new bait emailaddresses corresponding to the intended recipient. (Additionally, thenew bait email address could be planted in various locations, asdescribed above, if desired.) Of course, based on this disclosure, oneskilled in the art will appreciate that it might be necessary to obtaina domain name associated with the address and/or to create an accountwith the provider responsible for that domain name, such that thesecurity provider would receive all mail addressed to that address. Thiscould be beneficial because, by virtue of that address' status as anintended recipient of the phish message, it is apparent that the addressalready is target for at least one scammer. Presumably, obtaining thisrecipient email address would not create a conflict with an actual user,because the fact that the phish message was undeliverable indicates thatthe address is not currently a valid address.

In the foregoing description, for the purposes of illustration, variousmethods were described in a particular order. It should be appreciatedthat in alternate embodiments, the methods may be performed in an orderdifferent than that described. It should also be appreciated that themethods described above may be performed by hardware components and/ormay be embodied in sequences of machine-executable instructions, whichmay be used to cause a machine, such as a general-purpose orspecial-purpose processor or logic circuits programmed with theinstructions, to perform the methods. These machine-executableinstructions may be stored on one or more machine readable media, suchas CD-ROMs or other type of optical disks, floppy diskettes, ROMs, RAMs,EPROMs, EEPROMs, magnetic or optical cards, flash memory, or other typesof machine-readable media suitable for storing electronic instructions.Merely by way of example, some embodiments of the invention providesoftware programs, which may be executed on one or more computers, forperforming the methods described above. In particular embodiments, forexample, there may be a plurality of software components configured toexecute on various hardware devices. Alternatively, the methods may beperformed by a combination of hardware and software.

In conclusion, the present invention provides novel solutions fordealing with online fraud. While detailed descriptions of one or moreembodiments of the invention have been given above, variousalternatives, modifications, and equivalents will be apparent to thoseskilled in the art without varying from the spirit of the invention.Moreover, except where clearly inappropriate or otherwise expresslynoted, it should be assumed that the features, devices and/or componentsof different embodiments can be substituted and/or combined. Thus, theabove description should not be taken as limiting the scope of theinvention, which is defined by the appended claims.

What is claimed is:
 1. A method for identifying a phishing scam, themethod comprising: receiving, by a mail server, a plurality of e-mailseach comprising a header; identifying, by the mail server, that at leastsome of the plurality of e-mails are addressed to a mailbox that doesnot exist; routing, by the mail server, a plurality of bounce messageseach to an address contained in a RETURN PATH field of the header fromthe respective at least some of the plurality of e-mails; anddetermining that the address contained in the respective headers was notthe original sender of the e-mail received by the mail server byanalyzing the plurality of bounce messages.
 2. The method of claim 1,wherein the determining that the address contained in the respectiveheaders was not the original sender of the e-mail received by the mailserver comprises: receiving, by the mail server, the plurality of bouncemessages, and determining that the plurality of bounce messages relateto a common mass mailing.
 3. The method of claim 2, wherein thedetermining that the plurality of bounce messages relate to a commonmass mailing includes determining that a body portion of each of thereceived plurality of e-mails is substantially similar.
 4. The method ofclaim 1, wherein the plurality of e-mails each comprise a uniformresource locater (URL), the method further comprising: identifying theURL in each of the plurality of messages; forwarding the URL to a phishdetection system.
 5. The method of claim 1, wherein the plurality ofe-mails each comprise a uniform resource locater (URL), the methodfurther comprising: analyzing the URL in each of the plurality ofmessages and determine that the URL is associated with a phishing scam.6. The method of claim 1, further comprising: forwarding the pluralityof bounce messages to a monitoring appliance.
 7. The method of claim 6,wherein the monitoring appliance identifies a portion of each of thebounce messages and send the identified portion to a phish detectionsystem.
 8. The method of claim 7, wherein the identified portion is auniform resource locator (URL).
 9. The method of claim 8, wherein theplurality of e-mails have false header information.
 10. The method ofclaim 9, wherein the false header information comprises at least one ofFROM, SENDER, RETURN PATH, and REPLY-TO fields.
 11. The method of claim1, further comprising: generating, by the mail server, the plurality ofbounce messages in response to identifying that at least some of theplurality of e-mails are addressed to a mailbox that does not exist. 12.A computer system for identifying a phishing scam, the computer systemcomprising: a mail server comprising processing circuitry and a memorycoupled with the processing circuitry, the memory having stored thereina sequence of instructions which, when executed by the processingcircuitry, cause the mail server to: receive a plurality of e-mails eachcomprising a header, identify that at least some of the plurality ofe-mails are addressed to a mailbox that does not exist, and route aplurality of bounce messages each to an address contained in a RETURNPATH field of the header from the respective at least some of theplurality of e-mails; and a monitoring appliance communicatively coupledto the mail server and configured to determine that the addresscontained in the respective headers was not the original sender of thee-mail received by the mail server by analyzing the plurality of bouncemessages.
 13. The computer system of claim 12, wherein the monitoringappliance is configured to determine that the address contained in therespective headers was not the original sender of the e-mail received bythe mail server by determining that the plurality of bounce messagesrelate to a common mass mailing.
 14. The computer system of claim 13,the monitoring appliance is configured to determine that the pluralityof bounce messages relate to a common mass mailing by determining that abody portion of each of the received plurality of e-mails issubstantially similar.
 15. The computer system of claim 12, wherein theplurality of e-mails each comprise a uniform resource locater (URL), andwherein the monitoring appliance is configured to identify the URL ineach of the plurality of messages and forward the URL to a phishdetection system.
 16. The computer system of claim 12, wherein theplurality of e-mails each comprise a uniform resource locater (URL), andwherein the monitoring appliance is configured to analyze the URL ineach of the plurality of messages and determine whether the URL isassociated with a phishing scam.
 17. The computer system of claim 12,wherein the mail server is configured to forward the plurality of bouncemessages to the monitoring appliance.
 18. The computer system of claim17, wherein the monitoring appliance is configured to identify a portionof each of the bounce messages and send the identified portion to aphish detection system.
 19. The computer system of claim 18, wherein theidentified portion is a uniform resource locator (URL).
 20. The computersystem of claim 12, wherein the plurality of e-mails have false headerinformation comprising at least one of FROM, SENDER, RETURN PATH, andREPLY-TO fields.